Add allow_url_include to let people turn on allow_url_fopen without also

enabling remote code execution through url wrappers

diff --git a/main/main.c b/main/main.c
index 81b9a3138266d87b7ce58cbee2dfa51c6aae047d..2a78b4ed6ff986aee64e3498fffe9bddb0db9dd1 100644 (file)
--- a/main/main.c
+++ b/main/main.c
@@ -439,6 +439,7 @@ PHP_INI_BEGIN()
        PHP_INI_ENTRY("disable_classes",                        "",                     PHP_INI_SYSTEM,         NULL)
 
        STD_PHP_INI_BOOLEAN("allow_url_fopen",          "1",            PHP_INI_SYSTEM,         OnUpdateBool,                   allow_url_fopen,                        php_core_globals,       core_globals)
+       STD_PHP_INI_BOOLEAN("allow_url_include",                "0",            PHP_INI_SYSTEM,         OnUpdateBool,                   allow_url_include,                      php_core_globals,       core_globals)
        STD_PHP_INI_BOOLEAN("always_populate_raw_post_data",            "0",            PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateBool,                   always_populate_raw_post_data,                  php_core_globals,       core_globals)
 #ifdef REALPATH_CACHE
        STD_PHP_INI_ENTRY("realpath_cache_size", "16K", PHP_INI_SYSTEM, OnUpdateLong, realpath_cache_size_limit, virtual_cwd_globals, cwd_globals)

diff --git a/main/php_globals.h b/main/php_globals.h
index 65c6a2f987f2c9256e14623629a8b2a62b64d5f7..0ca83bbdc3da9b07d4daa7a50fd53950320bb248 100644 (file)
--- a/main/php_globals.h
+++ b/main/php_globals.h
@@ -150,6 +150,7 @@ struct _php_core_globals {
 
        char *disable_functions;
        char *disable_classes;
+       zend_bool allow_url_include;
 };
 
 

diff --git a/main/streams/streams.c b/main/streams/streams.c
index f00f9627f52a0ae5b8f90220349b9b29ae4d2bfb..a455692e4030d535123ae0d6039053d77adfd41d 100755 (executable)
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -2205,7 +2205,7 @@ PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char *path, char
                return &php_plain_files_wrapper;
        }
 
-       if (wrapper && wrapper->is_url && !PG(allow_url_fopen)) {
+       if ((wrapper && wrapper->is_url) && (!PG(allow_url_fopen) || (options & STREAM_OPEN_FOR_INCLUDE) && !PG(allow_url_include)) ) {
                if (options & REPORT_ERRORS) {
                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled in the server configuration");
                }

diff --git a/php.ini-dist b/php.ini-dist
index 96f47d32480cd7d345fbf1ff5f108d4d0e9ad308..de3c031e8d20aee309b7280cd066781777fd369d 100644 (file)
--- a/php.ini-dist
+++ b/php.ini-dist
@@ -529,6 +529,8 @@ upload_max_filesize = 2M
 
 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 allow_url_fopen = On
+; Whether to allow code execution through URL wrappers
+allow_url_include = Off
 
 ; Define the anonymous ftp password (your email address)
 ;from="john@doe.com"

diff --git a/php.ini-recommended b/php.ini-recommended
index 0bb77ab9ffa9323da35eff0590b026ca2da8e443..ba1ce7f38eb55c3d7647412ab34d8dca2851e116 100644 (file)
--- a/php.ini-recommended
+++ b/php.ini-recommended
@@ -586,6 +586,8 @@ upload_max_filesize = 2M
 
 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 allow_url_fopen = On
+; Whether to allow code execution through URL wrappers
+allow_url_include = Off
 
 ; Define the anonymous ftp password (your email address)
 ;from="john@doe.com"