Is allow_url_fopen safe? [duplicate]

Answer 1

This is just one reason why you may want allow_url_fopen set to 0

Let's say you allow users to enter a url, and you have your server fetch this url.

You might code something like this: - YOU SHOULD NOT CODE THIS -

echo file_get_contents($_POST['url']);

Problem is that there is a security issue here. Somebody could pass a file path instead of a url and have access to your server's files.

For example, somebody might pass /etc/passwd as a url, and be able to view its contents.

Now, if allow_url_fopen were set to 0, you wouldn't be using file_get_contents to fetch URL's, you would be using CURL.

Answer 2

allow_url_fopen is fine. If you need the feature, enable it. There are better tools out there for loading data from remote URLs (like the curl extension), but it's good enough for some simple use cases.

Its close relative, allow_url_include, is not safe. It allows functions like include() and require() to load and run code from remote URLs, which is a really bad idea. Leave that one turned off.

In the past, allow_url_include didn't always exist as a distinct option, so it was necessary to turn allow_url_fopen off to prevent badly written scripts from including data from remote URLs. That's no longer the case, though.