We have a couple of developers asking for
allow_url_fopen to be enabled on our server. What’s the norm these days and if
libcurl is enabled is there really any good reason to allow?
Environment is: Windows 2003, PHP 5.2.6, FastCGI
You definitely want
allow_url_include set to Off, which mitigates many of the risks of
allow_url_fopen as well.
But because not all versions of PHP have
allow_url_include, best practice for many is to turn off fopen. Like with all features, the reality is that if you don’t need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable
allow_url_fopen may deter the least determined cracker.
I think the answer comes down to how well you trust your developers to use the feature responsibly? Data from a external URL should be treated like any other untrusted input and as long as that is understood, what’s the big deal?
The way I see it is that if you treat your developers like children and never let them handle sharp things, then you’ll have developers who never learn the responsibility of writing secure code.
Cross-site scripting attacks are a pain, so that’s a vote against. And you should absolutely have “allow_url_include” set to off, or you’ll be in for a world of hurt.
It depends on the type of development. If your prototyping then enabling ‘allow_url_fopen’ is fine however there isn’t a significant speed difference between libcurl and file_get_contents and enabling it is only a matter of convenience.
For production servers any call to libcurl should be flagged for a security audit. As should fopen and file_get_contents if ‘allow_url_fopen’ is enabled. Disabling ‘allow_url_fopen’ does not prevent exploits it only slightly limits the number of ways they can be done.
The big problem is that allow_url_fopen is not more secured, so if you want to save file from a url using curl, you must pass from fopen/file_get to save the file.
- CURL is only good to retrieve remote content from URL.
(allow_url_fopen not necessary)
- CURL must be added with Fopen or File_get if you want to save remote
file to your server.
(allow_url_fopen obligatory with CURL)
Php must find other ways to make it more secured.