From 6bfeea9eb9543cb5a5f2c024a57f7c8ecfc84968 Mon Sep 17 00:00:00 2001
From: Rasmus Lerdorf <rasmus@php.net>
Date: Fri, 16 Jun 2006 14:09:01 +0000
Subject: [PATCH] MFH: Backported allow_url_include from HEAD.  This directive
 allows separate control of URL handling in includes/requires allowing sites
 to enable allow_url_fopen without enabling remote includes.

---
 NEWS                   | 1 +
 main/main.c            | 1 +
 main/php_globals.h     | 1 +
 main/streams/streams.c | 2 +-
 php.ini-dist           | 3 +++
 5 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 9cbf11f1bc..ac2b2943c3 100644
--- a/NEWS
+++ b/NEWS
@@ -43,6 +43,7 @@ PHP                                                                        NEWS
   . Added readInnerXML(), readOuterXML(), readString(), setSchema(). (2.6.20+)
   . Changed to passing libxml options when loading reader.
 
+- Added allow_url_include ini directive to complement allow_url_fopen. (Rasmus)
 - Added automatic module globals management. (Dmitry)
 - Added RFC2397 (data: stream) support. (Marcus)
 - Added new error mode E_RECOVERABLE_ERROR. (Derick, Marcus, Tony)
diff --git a/main/main.c b/main/main.c
index 174705ccde..e2e8e37610 100644
--- a/main/main.c
+++ b/main/main.c
@@ -322,6 +322,7 @@ PHP_INI_BEGIN()
 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
 
 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,			allow_url_fopen,			php_core_globals,	core_globals)
+	STD_PHP_INI_BOOLEAN("allow_url_include",		"0",		PHP_INI_SYSTEM,		OnUpdateBool,			allow_url_include,			php_core_globals,	core_globals)
 	STD_PHP_INI_BOOLEAN("always_populate_raw_post_data",		"0",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateBool,			always_populate_raw_post_data,			php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("realpath_cache_size", "16K", PHP_INI_SYSTEM, OnUpdateLong, realpath_cache_size_limit, virtual_cwd_globals, cwd_globals)
 	STD_PHP_INI_ENTRY("realpath_cache_ttl", "120", PHP_INI_SYSTEM, OnUpdateLong, realpath_cache_ttl, virtual_cwd_globals, cwd_globals)
diff --git a/main/php_globals.h b/main/php_globals.h
index 5ce9de80d6..582a472277 100644
--- a/main/php_globals.h
+++ b/main/php_globals.h
@@ -150,6 +150,7 @@ struct _php_core_globals {
 
 	char *disable_functions;
 	char *disable_classes;
+	zend_bool allow_url_include;
 };
 
 
diff --git a/main/streams/streams.c b/main/streams/streams.c
index 8a25d8d3be..4a9c119801 100755
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -1605,7 +1605,7 @@ PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char *path, char
 		return &php_plain_files_wrapper;
 	}
 
-	if (wrapperpp && (*wrapperpp)->is_url && !PG(allow_url_fopen)) {
+	if ((wrapperpp && (*wrapperpp)->is_url) && (!PG(allow_url_fopen) || ((options & STREAM_OPEN_FOR_INCLUDE) && !PG(allow_url_include))) ) {
 		if (options & REPORT_ERRORS) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled in the server configuration");
 		}
diff --git a/php.ini-dist b/php.ini-dist
index ffbaae89b6..8d2e74a5da 100644
--- a/php.ini-dist
+++ b/php.ini-dist
@@ -531,6 +531,9 @@ upload_max_filesize = 2M
 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 allow_url_fopen = On
 
+; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
+allow_url_include = Off
+
 ; Define the anonymous ftp password (your email address)
 ;from="john@doe.com"
 
-- 
2.40.0