Support

Admin Tools

#11823 allow_url_fopen: security concerns and implementation

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 04 April 2012 10:18 CDT

jparker3119
Description of my issue: For security purposes, I set allow_url_fopen to OFF by default. However, Joomla Update requires that this be set to ON in order to function. It would be great if there were a "Button" in Admintools that when clicked would set allow_url_fopen to ON, refresh the Update status of installed applications, and then set allow_url_fopen back to OFF. Then another button with the same function would be provided when a decision is made to implement the update.

Thanks,
Jim

nicholas
Akeeba Staff
Manager
Enabling/disabling that PHP feature requires modification of your php.ini file. On SOME hosts which use SuPHP or PHP in CGI mode it is possible to edit the php.ini in the root and administrator directories. On the vast majority of hosts which use mod_php or PHP as FastCGI this would require editing the system-wide php.ini and restarting Apache. Both actions require root privileges, which mean that your web server (Apache) and Joomla! should run as root. This is the fastest way to ensure that one otherwise insignificant breach will compromise your entire server. So, no, I will not implement a feature which works on 10% of servers or requires you to severely degrade your site's security for convenience.

Besides, in future versions of Joomla! you won't need URL fopen() wrappers. This is something people are actively working on. I made sure that com_joomlaupdate (the new Joomla! updater, which is a direct port of the Admin Tools' Joomla! Update feature) can work with or without URL fopen() wrappers. With a bit of luck, we will be able to implement the same approach (auto-use cURL or fopen) in other areas of the CMS. I just need to find some time to write a patch :(

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

jparker3119
That will be great when implemented!!!
Thanks for the update.
Jim

nicholas
Akeeba Staff
Manager
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!