Overview
The PHP parameterallow_url_fopen has
been disabled in PHP environment for the Grid.If enabled,
allow_url_fopen allows
PHP’s file functions to retrieve data from remote locations such as
an FTP server or web site, and could lead to code injection
vulnerabilities. Typically, these code injection vulnerabilities
occur from improper input filtering when passing user-provided data
to PHP functions. Disabling this function will help in stopping your
site from being hacked, as well as help to avoid the unauthorized use
of our servers for abusive or malicious purposes.What you should do
We would highly suggest further researching and examining aspects of your site’s code that depend on this functionality. There are many safer methods to accomplish the same desired results without this possible security issue.- Use a relative path to the file stored locally.
- Using the PHP environment variable
$_SERVER['DOCUMENT_ROOT'], which returns the absolute path to the web root directory. - cURL is another method that could be used. (This method is
beyond the scope of this article. For more information, please see:
http://php.net/manual/en/book.curl.php.)
Workaround
You can enable ‘allow_url_fopen’ by editing your php.ini file. The process is very straightforward; it is as simple as including the following line to your own php.ini file at /home/****/etc/php.ini. If you are just starting to use a custom php.ini file, you may need to also change the memory_limit value.CODE:
allow_url_fopen = 1
FAQ:
After making this change, my sites no longer work and I get the error “Fatal error: Allowed memory size of 8388608 bytes exhausted..”, how do I fix this?
CODE:
memory_limit = 100M
cgi.fix_pathinfo=1
No comments:
Post a Comment