dev-lang/php-5.5: The default php.ini file for /etc/php/* has set: allow_url_fopen = On The website page http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html recommends that should be instead be set to Off. Running with that set to Off has no adverse effect for my websites tests using php. Reproducible: Always Steps to Reproduce: 1.Emerge dev-lang/php 2./etc/php/*/php.ini have "allow_url_fopen = On" 3. Actual Results: In /etc/php/*/php.ini allow_url_fopen = On Expected Results: In /etc/php/*/php.ini allow_url_fopen = Off See: http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html
I suppose this is significant enough to merit a change in the default config. @php: your thoughts?
(In reply to Chris Reffett from comment #1) > I suppose this is significant enough to merit a change in the default > config. @php: your thoughts? We have had this discussion before and the points worth mentioning are: * allow_url_fopen was, a long time ago, split into allow_url_fopen and allow_url_include. The former is about file_get_contents et.al and the latter is about include http://.... The former is on by default, the latter is not. * Like it or not, PHP is a programming language, and developers are able to shot themselves in all sorts of body parts. I do not see it as our job as a distribution to protect *developers* from themselves. I don't think we should recommend disabling curl on a system just because a developer can do eval(`curl $probablySafeStuff`); Also, just because a website has security in its name does not mean they have a clue. Especially when their info seem to date back to 2007 or so ;)
(In reply to Ole Markus With from comment #2) > * Like it or not, PHP is a programming language, and developers are able to > shot themselves in all sorts of body parts. I do not see it as our job as a > distribution to protect *developers* from themselves. I don't think we > should recommend disabling curl on a system just because a developer can do > eval(`curl $probablySafeStuff`); How about change this setting in php.ini-production only? Cause it is definitely good to have this settings Off by default on newly installed production servers.
(In reply to Sergey Popov from comment #3) > (In reply to Ole Markus With from comment #2) > > * Like it or not, PHP is a programming language, and developers are able to > > shot themselves in all sorts of body parts. I do not see it as our job as a > > distribution to protect *developers* from themselves. I don't think we > > should recommend disabling curl on a system just because a developer can do > > eval(`curl $probablySafeStuff`); > > How about change this setting in php.ini-production only? Cause it is > definitely good to have this settings Off by default on newly installed > production servers. After the split between include and fopen, it is widely common to do stuff like json_decode(file_get_contents($someUrl)). Would you also suggest production servers should come with python's urllib off by default or ruby's open-uri? Also, in general, I would need a really good reason to change any upstream default since upstream default is what people expect. So I honestly do not understand why allow_url_fopen should be off on any kind of server.
This is the last discussion we had about this: bug 332763
Ok, agruments seems reasonable. Closing this as UPSTREAM, cause this default does not security issue itself, just can be used insecurely in applications(and this is application problem, not language itself)
