Allow url_fopen

[copernic2006]

Hi,
I have a number requests from customers who want the allow url_fopen function is activated.
Do you think the risk is minimal by activating (url_include remain disabled)?
Thank you for sharing your opinions and experience.

[mikeshinn]

Its fairly risky function to allow, basically lets PHP allow URLs as files. This is one of the older ways of hacking PHP applications via a remote file include attack. Do you know what web applications they are using that require this?

[copernic2006]

Hello Mike,
The most recent case is that of a client that uses a component for wordpress (http://codecanyon.net/item/woocommerce- ... r/10959830)
This client is not hosted by me since this afternoon (no great loss, considering safety).
In the past, I had client in joomla who also requested that this feature be permitted.

[faris]

I've had a few clients that want url_fopen and I normally refuse.

I will make exceptions if I feel the risk is worth it though. But not very often.

[prupert]

Allowing url_fopen is very unsafe. More so because it is usually used by poorly written scripts. Using the cURL functions is a fine alternative.

There really is no sane reason to keep allow_url_fopen enabled.