[nycphp-talk] allow_url_fopen (was: parse file, return as string)
David Mintz
dmintz at davidmintz.org
Thu Aug 19 16:18:10 EDT 2004
On Thu, 19 Aug 2004, George Schlossnagle wrote:
> > Ouput:
> >
> > Current value: disabled ....now: enabled
> >
> > Followed by our phpinfo which says allow_url_fopen: master value off,
> > local value on. (PHP 4.3.4 running as an Apache 1.3.29 module)
>
> Your clients are running a version 4 point releases and nearly a year
> old. You should upgrade, for the sake of this security issue as well
> as others.
>
> George
>
> p.s. the issue you describe was fixed in 4.3.5, over half a year ago.
Oh my. Thanks for the enlightenment. I think these guys (pair Networks)
are running the version they're running for reasons of their own other
than laziness/cluelessness, but who knows.
Their customer newsletter recently said, hey, we are now setting
allow_url_fopen = off in our php.ini (because of all the carelessly
written stuff that had been hacked on their servers), so if you need it,
you better ini_set() it yourself.
I guess whenever they do upgrade, and if they do keep that setting, I can
either run in CGI mode and write my own damn php.ini, or use cURL. Or...
what would you suggest, if you need to go out and fetch a web page
somewhere once in a while?
Oops, reading again I see: "you should upgrade." Maybe I'll try compiling
my own 4.3.8 and using CGI mode.
---
David Mintz
http://davidmintz.org/
"Anybody else got a problem with Webistics?" -- Sopranos 24:17
More information about the talk
mailing list