For the past few years we have as policy prevented the use of PHP allow_url_fopen on our shared and reseller web servers in order to mitigate against the most common code exploits and attack vectors seen within customers PHP code.
After some consideration, changes within the way PHP does things and extensive testing we are to again allow allow_url_fopen but will continue to deny allow_url_include privileges for the following customers/servers.
What does allow_url_fopen / allow_url_include mean?
Code similar to the below would be denied previously but will work now:
php $handle = fopen(“http://domain.ext/file.txt”, “r”); $content = file_get_contents(“http://domain.ext/file.txt”, “r”); ?>
Code similar to that below will continue to be denied:
php $pagef = $_REQUEST[“pagef”]; include ($pagef); ?>
For more information about the use of remote files within PHP please see the PHP manual and other online resources.
What about other servers?
All servers now run with allow_url_fopen =1 and allow_url_include = 0.
Classification: Public
Last saved: 2021/11/11 at 14:24 by Jamie