MFH: Backported allow_url_include from HEAD. This directive allows

separate control of URL handling in includes/requires allowing sites to
enable allow_url_fopen without enabling remote includes.

diff --git a/NEWS b/NEWS
index 9cbf11f1bcf136ae49037ffb194f34a9f7e780b2..ac2b2943c365bfec1ae2457835162c7064feb121 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -43,6 +43,7 @@ PHP                                                                        NEWS
   . Added readInnerXML(), readOuterXML(), readString(), setSchema(). (2.6.20+)
   . Changed to passing libxml options when loading reader.
 
+- Added allow_url_include ini directive to complement allow_url_fopen. (Rasmus)
 - Added automatic module globals management. (Dmitry)
 - Added RFC2397 (data: stream) support. (Marcus)
 - Added new error mode E_RECOVERABLE_ERROR. (Derick, Marcus, Tony)

diff --git a/main/main.c b/main/main.c
index 174705ccded894b4b6ea9ffb562f899d4ee0649e..e2e8e376109091ac6481e3c0c348b6e41246f28e 100644 (file)
--- a/main/main.c
+++ b/main/main.c
@@ -322,6 +322,7 @@ PHP_INI_BEGIN()
        PHP_INI_ENTRY("disable_classes",                        "",                     PHP_INI_SYSTEM,         NULL)
 
        STD_PHP_INI_BOOLEAN("allow_url_fopen",          "1",            PHP_INI_SYSTEM,         OnUpdateBool,                   allow_url_fopen,                        php_core_globals,       core_globals)
+       STD_PHP_INI_BOOLEAN("allow_url_include",                "0",            PHP_INI_SYSTEM,         OnUpdateBool,                   allow_url_include,                      php_core_globals,       core_globals)
        STD_PHP_INI_BOOLEAN("always_populate_raw_post_data",            "0",            PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateBool,                   always_populate_raw_post_data,                  php_core_globals,       core_globals)
        STD_PHP_INI_ENTRY("realpath_cache_size", "16K", PHP_INI_SYSTEM, OnUpdateLong, realpath_cache_size_limit, virtual_cwd_globals, cwd_globals)
        STD_PHP_INI_ENTRY("realpath_cache_ttl", "120", PHP_INI_SYSTEM, OnUpdateLong, realpath_cache_ttl, virtual_cwd_globals, cwd_globals)

diff --git a/main/php_globals.h b/main/php_globals.h
index 5ce9de80d6241dab004196fb81b9a8e66d21fb93..582a4722771e0c1d40d347aba2e2da472b73867a 100644 (file)
--- a/main/php_globals.h
+++ b/main/php_globals.h
@@ -150,6 +150,7 @@ struct _php_core_globals {
 
        char *disable_functions;
        char *disable_classes;
+       zend_bool allow_url_include;
 };
 
 

diff --git a/main/streams/streams.c b/main/streams/streams.c
index 8a25d8d3bee924be5e0f0a6867e66a887fef7b9f..4a9c119801a0dc7caf0726812a9692c4ec690a7b 100755 (executable)
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -1605,7 +1605,7 @@ PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char *path, char
                return &php_plain_files_wrapper;
        }
 
-       if (wrapperpp && (*wrapperpp)->is_url && !PG(allow_url_fopen)) {
+       if ((wrapperpp && (*wrapperpp)->is_url) && (!PG(allow_url_fopen) || ((options & STREAM_OPEN_FOR_INCLUDE) && !PG(allow_url_include))) ) {
                if (options & REPORT_ERRORS) {
                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled in the server configuration");
                }

diff --git a/php.ini-dist b/php.ini-dist
index ffbaae89b6e9de048f66d0ff31ca5b4822fb9607..8d2e74a5da470251005b09ac2b5c597babc1bb69 100644 (file)
--- a/php.ini-dist
+++ b/php.ini-dist
@@ -531,6 +531,9 @@ upload_max_filesize = 2M
 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 allow_url_fopen = On
 
+; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
+allow_url_include = Off
+
 ; Define the anonymous ftp password (your email address)
 ;from="john@doe.com"