Re: data stream restricted by allow_url_fopen (Bug #47336)

From:	Stas Malyshev	Date:	Mon, 11 Mar 2013 10:26:23 +0000
Subject:	Re: data stream restricted by allow_url_fopen (Bug #47336)
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi!

> I have run into a bug, which is open since 2009. It would be nice if
> you could look at https://bugs.php.net/bug.php?id=47336 It has been
> marked as “documentation problem”. But in my opinion the
> implementation should follow the documentation and allow fopen
> “data://” streams even if “allow_url_fopen” is set to “false”.
> Because it is not like opening a maybe manipulated URL.
> 
> It would be really nice if this bug could be fixed, soon.

I'm afraid it is not a good idea. allow_url_fopen is meant to protect
file functions (fopen and friends) from being injected with
user-controlled data - i.e. if you control the filesystem and you do
fopen() under allow_url_fopen then it is reasonable to assume the data
under that filename is under your control. However, data:// URLs clearly
violate this assumption no less than http:// URLs do - data: just does
it without even requiring a web server.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227


   

Thread (5 messages)

• Christian StollerMon, 11 Mar 2013 09:50:00 +0000
  • Stas MalyshevMon, 11 Mar 2013 10:26:23 +0000
    • Christian StollerMon, 11 Mar 2013 11:36:24 +0000RE: [PHP-DEV] data stream restricted by allow_url_fopen (Bug #47336)
      • Ángel GonzálezMon, 11 Mar 2013 12:29:31 +0000Re: data stream restricted by allow_url_fopen (Bug #47336)
        • Christian StollerMon, 11 Mar 2013 14:02:31 +0000RE: [PHP-DEV] data stream restricted by allow_url_fopen (Bug #47336)