Debian Bug report logs - #579922
libapache2-mod-php5: change allow_url_fopen = Off

Package: libapache2-mod-php5; Maintainer for libapache2-mod-php5 is (unknown);

Reported by: Toni Mueller <support@oeko.net>

Date: Sun, 2 May 2010 10:57:02 UTC

Severity: wishlist

Tags: wontfix

Done: Ondřej Surý <ondrej@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#579922; Package libapache2-mod-php5. (Sun, 02 May 2010 10:57:05 GMT) (full text, mbox, link).

Acknowledgement sent to Toni Mueller <support@oeko.net>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 02 May 2010 10:57:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Toni Mueller <support@oeko.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libapache2-mod-php5: change allow_url_fopen = Off
Date: Sun, 02 May 2010 12:47:13 +0200
Package: libapache2-mod-php5
Severity: wishlist


Hi,

while revisiting the latest Typo3 problem, I found that Debian ships
with

allow_url_fopen = On


I suggest that this be changed to


allow_url_fopen = Off


to reduce the change of PHP applications being exploited, and, if you
really need to, place a big flashing warning around it to warn users
from changing it to "On" again.




Kind regards,
--Toni++



-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (250, 'unstable'), (50, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-4-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache2-mod-php5 depends on:
pn  apache2-mpm-pre <none>                   (no description available)
ii  apache2.2-commo 2.2.15-3                 Apache HTTP Server common files
ii  libbz2-1.0      1.0.5-4                  high-quality block-sorting file co
ii  libc6           2.10.2-6                 Embedded GNU C Library: Shared lib
ii  libcomerr2      1.41.11-1                common error description library
ii  libdb4.6        4.6.21-16                Berkeley v4.6 Database Libraries [
ii  libkrb53        1.6.dfsg.4~beta1-5lenny2 MIT Kerberos runtime libraries
ii  libmagic1       5.04-2                   File type determination library us
ii  libpcre3        7.8-3                    Perl 5 Compatible Regular Expressi
ii  libssl0.9.8     0.9.8n-1                 SSL shared libraries
ii  libxml2         2.7.7.dfsg-2             GNOME XML library
ii  mime-support    3.48-1                   MIME files 'mime.types' & 'mailcap
ii  php5-common     5.3.2-1                  Common files for packages built fr
ii  tzdata          2010i-1                  time zone and daylight-saving time
ii  ucf             3.0025                   Update Configuration File: preserv
ii  zlib1g          1:1.2.3.4.dfsg-3         compression library - runtime

libapache2-mod-php5 recommends no packages.

Versions of packages libapache2-mod-php5 suggests:
ii  php-pear                      5.3.2-1    PEAR - PHP Extension and Applicati

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#579922; Package libapache2-mod-php5. (Wed, 05 May 2010 19:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Wed, 05 May 2010 19:36:04 GMT) (full text, mbox, link).

Message #10 received at 579922@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>
To: Toni Mueller <support@oeko.net>, 579922@bugs.debian.org, control@bugs.debian.org
Subject: Re: [php-maint] Bug#579922: libapache2-mod-php5: change allow_url_fopen = Off
Date: Wed, 5 May 2010 14:34:11 -0500
tag 579922 wontfix
thanks

Hi,

On Sunday 02 May 2010 05:47:13 Toni Mueller wrote:
> I suggest that this be changed to
> 
> allow_url_fopen = Off
> 
> to reduce the change of PHP applications being exploited, and, if you
> really need to, place a big flashing warning around it to warn users
> from changing it to "On" again.
> 

No, there are fair use cases for using stream wrappers and making this change 
would break many applications. 

Feel free to take this upstream and make the change happen there.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Added tag(s) wontfix. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Wed, 05 May 2010 19:36:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#579922; Package libapache2-mod-php5. (Sun, 29 Aug 2010 11:15:02 GMT) (full text, mbox, link).

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 29 Aug 2010 11:15:02 GMT) (full text, mbox, link).

Message #17 received at 579922@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>
To: pkg-php-maint@lists.alioth.debian.org, Toni Mueller <support@oeko.net>
Cc: 579922@bugs.debian.org
Subject: Re: [php-maint] Bug#579922: Bug#579922: libapache2-mod-php5: change allow_url_fopen = Off
Date: Sun, 29 Aug 2010 13:11:29 +0200
[Message part 1 (text/plain, inline)]
On woansdei 5 Maaie 2010, Raphael Geissert wrote:
> On Sunday 02 May 2010 05:47:13 Toni Mueller wrote:
> > I suggest that this be changed to
> >
> > 
> >
> > allow_url_fopen = Off
> >
> > 
> >
> > to reduce the change of PHP applications being exploited, and, if you
> > really need to, place a big flashing warning around it to warn users
> > from changing it to "On" again.
> >
> > 
> 
> No, there are fair use cases for using stream wrappers and making this
> change  would break many applications.
> 
> Feel free to take this upstream and make the change happen there.

Note that since PHP5 include/require have a separate allow_url_include 
parameter which *does* default to Off, making having allow_url_fopen On a lot 
less of a risk as it has been in the 4.x era.


Cheers,
Thijs

[signature.asc (application/pgp-signature, inline)]

Marked Bug as done Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Wed, 09 Jul 2014 08:24:24 GMT) (full text, mbox, link).

Notification sent to Toni Mueller <support@oeko.net>:
Bug acknowledged by developer. (Wed, 09 Jul 2014 08:24:25 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 07 Aug 2014 07:28:16 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 01:18:21 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.