5

In PHP, the allow_url_fopen flag controls whether or not remote URLs can be used by various file system functions, in order to access remote files.

It is recommended security best practice nowadays to disable this option, as it is a potential attack vector. However, any code which depends on this functionality in order to work would be broken if the setting is disabled. For example, I know of at least one reCaptcha plugin which uses file_get_contents() to access the Google API and which therefore depends on this flag.

In order to check the code in our applications to determine whether it is safe to disable this flag (with a view to rewriting, where necessary) I need a canonical list of the PHP functions that it affects. However, I have been unable to find such a list - there doesn't seem to be one on the PHP website and a Google search didn't turn anything up.

  • Can anyone provide a list of all PHP functions whose behaviour is affected by allow_url_fopen?

The accepted answer should reference an authoritative source or provide details about methodology used to compile the list, to demonstrate its correctness and completeness.

HappyDog
  • 1,230
  • 1
  • 18
  • 45
  • Have you checked the source code of PHP where the setting `allow_url_fopen` is used and go backwards from that? – Progman Mar 23 '19 at 16:42
  • That's the fallback approach, I guess, if this information doesn't exist anywhere else, but it sounds like a lot of work. – HappyDog Mar 24 '19 at 06:28

2 Answers2

4

The list of functions is massive, as the allow_url_fopen ini directive is implemented in PHP's streams system, meaning anything that uses PHP's network streams are affected.

This includes functions from pretty much every extension of PHP that does not use an external library for gaining access to a remote file. As some extensions like cURL uses its own transport layer outside that of PHP.

Some extensions, notoriously ext/soap does bypass this directive in some ways (for what reason I don't exactly know as I'm not familiar with the internals of this extension).

Any function from the standard library (implemented in: main/, Zend/, ext/standard, ext/spl), meaning every Filesystem, Stream, Includes and URL Wrappers respect this directive. From on top of my head I also know that ext/exif does this.

I cannot remember on top of my head if XML based extensions (such as ext/libxml, ext/simplexml, ext/xmlreader, ext/xmlwriter, ext/dom) does this, but I'm certain that there was a point in the past where they did not respect it as the path was directly supplied to LibXML2 underneath.

Kalle
  • 383
  • 4
  • 11
1

This is crying out for a list of functions/methods that can take either a file path or a URL when allow_url_fopen is enabled. Making it community wiki, as the reason I found this question was that I was looking for such a list and am unsure that I am considering every corner case.

Opens a file

  • copy
  • file
  • file_get_contents
  • file_put_contents
  • fopen
  • simplexml_load_file

Stats a file

  • file_exists
  • filemtime
  • filesize
  • filetype
  • is_dir
  • is_file

Note: not all of these will work for every kind of URL. For example, "https://" URLs do not allow writing, so copy and file_put_contents will fail on such destinations. Meanwhile, ftp:// URLs do allow writing. Similar issues with file_exists.

I am deliberately not including functions like fwrite and fclose. Because those in particular take the results of fopen. So to my mind, it is fopen that is impacted, not fwrite nor fclose. Because fwrite can't open a file, only fopen can (of those three). So it is fopen that needs checked, not subsequent uses of fwrite or fclose. Those will work or fail if fopen does.

This is why I find answers like "Any function from the standard library" less than helpful. Most of those functions will work with streams opened under allow_url_fopen, but they will not themselves open such a stream. There may be many functions and methods that take resources that were originally opened via a URL, but I don't care about them unless they participate in the opening.

Another way of stating this is that I'm trying to list all functions that accept a URL (e.g. https://stackoverflow.com/ ) as a file path when allow_url_fopen is enabled (but not when it is disabled). Functions like fwrite and fclose do not do this (they take resources, not file paths). So I don't care about them even if their behavior is impacted by allow_url_fopen. I realize that the original question does not make this clear, but I believe that this was what was intended.

Related: list of supported protocols and wrappers.

The fsockopen and curl functions can open URLs even with allow_url_fopen turned off.

mdfst13
  • 850
  • 8
  • 18
  • `I realize that the original question does not make this clear, but I believe that this was what was intended.` - Yes, that was the intention. I need to find all uses of function whose behaviour will change if `allow_url_fopen` is disabled, and I agree that functions that operate on an opened file handle resource will not be affected. – HappyDog Jul 30 '21 at 14:10