allow_url_fopen

Ask the community for help and support.
Post Reply
lambro28
Posts: 50
Joined: Sun Jan 03, 2021 2:47 pm
Has thanked: 10 times
Been thanked: 6 times

allow_url_fopen

Post by lambro28 »

my php.ini file says allow_url_fopen is on, I have checked it on the control panel, and via ftp view file.
But in the admin - security checks it says its not on.

Is this an issue?
ecartz
Lead Developer
Lead Developer
Posts: 2637
Joined: Tue Nov 05, 2019 6:02 pm
Has thanked: 4 times
Been thanked: 181 times

Re: allow_url_fopen

Post by ecartz »

The "security check" does

Code: Select all

      if ((int)ini_get('allow_url_fopen') == 0) return false;
So it is answering what the view is from a PHP script. That is more reliable than checking files.

That said, this isn't actually what I would call a security check. It's checking if the feature is available rather than if there is a security vulnerability. If the feature not working isn't causing you problems, then it's not a big deal that it's not working.

I haven't attempted to review what lines of code require allow_url_fopen to be on. I do know that some of them have alternatives. For example, the Web class fails over to curl and then fsockopen. So anything that uses the Web class should work even if allow_url_fopen is off. It's possible that everything fails over now and we could drop the allow_url_fopen requirement. It's also possible that there is some feature that you don't normally use that doesn't work at the moment. Someone would have to go through the code and find all the places where a URL might be opened as if it were a local file and check them. Checking them isn't so hard, but listing them would be tedious.

An alternative would be to just go through and test every feature from the interface. But again, listing out every feature would be tedious. And that would be a much broader set of checks, so that would be tedious as well.

Absent a volunteer or team of volunteers to do either of those, I don't have a better solution than "watch out for things that might access remote files that don't work".
burt
Lead Developer
Lead Developer
Posts: 2423
Joined: Tue Oct 29, 2019 9:37 am
Has thanked: 49 times
Been thanked: 137 times

Re: allow_url_fopen

Post by burt »

When we introduced the "Certified Developers" page and module (in admin), it was (still is) powered by a XML file. The code needs to open that XML file from a remote server so that it can show you (in your admin area) some details. It was coded quickly using allow_url_fopen, and so a check module was made telling users that allow_url_fopen needs to be on.

Since then the system has been updated as least two times (so no more total reliance on allow_url_fopen), so I think (as Matt rightly points out) that this "security check" is no longer needed.
Gamechanger Addon: Queued Emails, try before you buy.
lambro28
Posts: 50
Joined: Sun Jan 03, 2021 2:47 pm
Has thanked: 10 times
Been thanked: 6 times

Re: allow_url_fopen

Post by lambro28 »

Thank you both for your help,
Post Reply