NYCPHP Meetup

NYPHP.org

[nycphp-talk] allow_url_fopen (was: parse file, return as string)

George Schlossnagle george at omniti.com
Thu Aug 19 15:35:00 EDT 2004


On Aug 19, 2004, at 3:24 PM, David Mintz wrote:
>>
> I realize that's what the docs say, yet interestingly enough, I can
> ini_set this value on at least one of the hosts I use.
>
> <?php
> echo "Current value: " ;
> echo  ini_get('allow_url_fopen')  ?  'enabled' : 'disabled' ;
> ini_set('allow_url_fopen',1);
> echo " ....and now:  ";
> echo ini_get('allow_url_fopen')  ?  'enabled' : 'disabled' ;
> phpinfo();
> ?>
>
> Ouput:
>
> Current value: disabled ....now: enabled
>
> Followed by our phpinfo which says allow_url_fopen: master value off,
> local value on. (PHP 4.3.4 running as an Apache 1.3.29 module)

Your clients are running a version 4 point releases and nearly a year 
old.  You should upgrade, for the sake of this security issue as well 
as others.

George

p.s. the issue you describe was fixed in 4.3.5, over half a year ago.




More information about the talk mailing list