From: Rasmus Lerdorf <rasmus@php.net>
Date: Fri, 18 Nov 2005 16:20:43 +0000 (+0000)
Subject: Add allow_url_include to let people turn on allow_url_fopen without also
X-Git-Tag: RELEASE_2_0_2~183
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e1f1857978f90741bf4a381f5ddc90e3b0c3df68;p=php

Add allow_url_include to let people turn on allow_url_fopen without also
enabling remote code execution through url wrappers
---

diff --git a/main/main.c b/main/main.c
index 81b9a31382..2a78b4ed6f 100644
--- a/main/main.c
+++ b/main/main.c
@@ -439,6 +439,7 @@ PHP_INI_BEGIN()
 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
 
 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,			allow_url_fopen,			php_core_globals,	core_globals)
+	STD_PHP_INI_BOOLEAN("allow_url_include",		"0",		PHP_INI_SYSTEM,		OnUpdateBool,			allow_url_include,			php_core_globals,	core_globals)
 	STD_PHP_INI_BOOLEAN("always_populate_raw_post_data",		"0",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateBool,			always_populate_raw_post_data,			php_core_globals,	core_globals)
 #ifdef REALPATH_CACHE
 	STD_PHP_INI_ENTRY("realpath_cache_size", "16K", PHP_INI_SYSTEM, OnUpdateLong, realpath_cache_size_limit, virtual_cwd_globals, cwd_globals)
diff --git a/main/php_globals.h b/main/php_globals.h
index 65c6a2f987..0ca83bbdc3 100644
--- a/main/php_globals.h
+++ b/main/php_globals.h
@@ -150,6 +150,7 @@ struct _php_core_globals {
 
 	char *disable_functions;
 	char *disable_classes;
+	zend_bool allow_url_include;
 };
 
 
diff --git a/main/streams/streams.c b/main/streams/streams.c
index f00f9627f5..a455692e40 100755
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -2205,7 +2205,7 @@ PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char *path, char
 		return &php_plain_files_wrapper;
 	}
 
-	if (wrapper && wrapper->is_url && !PG(allow_url_fopen)) {
+	if ((wrapper && wrapper->is_url) && (!PG(allow_url_fopen) || (options & STREAM_OPEN_FOR_INCLUDE) && !PG(allow_url_include)) ) {
 		if (options & REPORT_ERRORS) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled in the server configuration");
 		}
diff --git a/php.ini-dist b/php.ini-dist
index 96f47d3248..de3c031e8d 100644
--- a/php.ini-dist
+++ b/php.ini-dist
@@ -529,6 +529,8 @@ upload_max_filesize = 2M
 
 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 allow_url_fopen = On
+; Whether to allow code execution through URL wrappers
+allow_url_include = Off
 
 ; Define the anonymous ftp password (your email address)
 ;from="john@doe.com"
diff --git a/php.ini-recommended b/php.ini-recommended
index 0bb77ab9ff..ba1ce7f38e 100644
--- a/php.ini-recommended
+++ b/php.ini-recommended
@@ -586,6 +586,8 @@ upload_max_filesize = 2M
 
 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 allow_url_fopen = On
+; Whether to allow code execution through URL wrappers
+allow_url_include = Off
 
 ; Define the anonymous ftp password (your email address)
 ;from="john@doe.com"