This is an old revision of the document!

PHP RFC: Remove allow_url_include INI

Version: 1.0
Date: 2015-02-27
Author: Yasuo Ohgaki yohgaki@ohgaki.net
Status: Under Discussion
First Published at: http://wiki.php.net/rfc/allow_url_include

Introduction

allow_url_include is INI_SYSTEM, therefore include/require simply ignore the setting for certain stream wrappers always. allow_url_include does not actually disallow URL form includes. It allows “phar://” regardless of allow_url_include setting and helps attackers obfuscate attack scripts. e.g. include(“phar://evil_phar_file/evil_script.php”) is allowed at anytime. Current behavior may allow to bypass certain types of security filters and allow attacker's script to be executed.

Current allow_url_include behavior is wrong for 3 reasons.

Implicit allowance of URL is problematic. It's “caller” responsibility to set this setting as intended. (Or “callee” must have API for overriding it to do the job)
It does not make “include/require” behave as INI setting name implies.
Being INI_SYSTEM increases risk of security filter bypass.

allow_url_include being INI_SYSTEM is false sense of security. It also violates simple API principle that

“caller” must have responsibility to set correct setting for conditions.

or

“callee” must have API/parameter to set correct conditions for the API.

Current allow_url_include and related API does not satisfy none of them.

Proposal

Remove allow_url_include INI setting.
Introduce “allow_url_inlcude” flag to include*/require*() as 2nd parameter.

  include 'script.php' [, $allow_url_include=FALSE ];

Backward Incompatible Changes

Some include/require that use implicit URL include need 2nd parameter.

Proposed PHP Version(s)

PHP 7.0

RFC Impact

To SAPIs

CLI - loading phar as main script is allowed by default.

To Existing Extensions

Phar scripts are affected, but not Phar extension.

To Opcache

None

New Constants

None

php.ini Defaults

allow_url_include ini is removed.

Open Issues

Unaffected PHP Functionality

allow_url_fopen

Future Scope

allow_url_fopen has same issues. However, allow_url_fopen has less issue because it does not parse and execute script.

Proposed Voting Choices

Requires 2/3 majority

Patches and Tests

TBD

Implementation

After the project is implemented, this section should contain

the version(s) it was merged to
a link to the git commit(s)
a link to the PHP manual entry for the feature

References

Links to external references, discussions or RFCs

https://wiki.php.net/rfc/script_only_include - This mitigation affects script only include RFC. With this RFC, script include only RFC will be more secure as it should.

Rejected Features

Keep this updated with features that were discussed on the mail lists.