views:

1525

answers:

5

We have a couple of developers asking for 'allow_url_fopen' to be enabled on our server. What's the norm these days and if libcurl is enabled is there really any good reason to allow?

Environment is: Windows 2003, PHP 5.2.6, FastCGI

Thanks Kev

+2  A: 

You definitely want allow_url_include set to Off, which mitigates many of the risks of allow_url_fopen as well.

But because not all versions of PHP have allow_url_include, best practice for many is to turn off fopen. Like with all features, the reality is that if you don't need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable allow_url_fopen may deter the least determined cracker.

Daniel Papasian
What are these risks? I'm so glad I don't work for a company where the sysadmins disable language features based on vague StackOverflow answers
Ben James
Hey Ben, I've seen quite a few cases where variables are passed to include() (or fopen()) that are believed by the developer to reference a local file but instead they are URLs referencing malicious PHP code stored offsite.I can think of few sane reasons why anyone would want to include("http://..") and consequently real security is improved by turning that functionality off. See http://en.wikipedia.org/wiki/Remote_File_Inclusion
Daniel Papasian
A: 

Cross-site scripting attacks are a pain, so that's a vote against. And you should absolutely have "allow_url_include" set to off, or you'll be in for a world of hurt.

Michael Cramer
+1  A: 

I think the answer comes down to how well you trust your developers to use the feature responsibly? Data from a external URL should be treated like any other untrusted input and as long as that is understood, what's the big deal?

The way I see it is that if you treat your developers like children and never let them handle sharp things, then you'll have developers who never learn the responsibility of writing secure code.

A: 

It depends on the type of development. If your prototyping then enabling 'allow_url_fopen' is fine however there isn't a significant speed difference between libcurl and file_get_contents and enabling it is only a matter of convenience.

For production servers any call to libcurl should be flagged for a security audit. As should fopen and file_get_contents if 'allow_url_fopen' is enabled. Disabling 'allow_url_fopen' does not prevent exploits it only slightly limits the number of ways they can be done.

gradbot
+1  A: 

The big problem is that allow_url_fopen is not more secured, so if you want to save file from a url using curl, you must pass from fopen/file_get to save the file.

  • CURL is only good to retrieve remote content from URL. (allow_url_fopen not necessary)
  • CURL must be added with Fopen or File_get if you want to save remote file to your server. (allow_url_fopen obligatory with CURL)

Php must find other ways to make it more secured.

Maverick