Curl and allow_url_fopen and joomla updates
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Intern
- Posts: 92
- Joined: Fri Mar 23, 2007 6:28 pm
Curl and allow_url_fopen and joomla updates
hi,
so i have a bunch of staged 2.5 sites on a server while i build them. recently i had a malware incident on a site and my host added this (and more) to the php.ini file
allow_url_fopen = Off
now when i go to extensions discover updates it tells me i need allow_url_fopen On. so I turned it back on and then updates are discoverable BUT this represents a security risk.
it was my understanding that the extension manager first looks for Curl... and when i look in my php settings curl is enabled... so why is this happening??
thanks
so i have a bunch of staged 2.5 sites on a server while i build them. recently i had a malware incident on a site and my host added this (and more) to the php.ini file
allow_url_fopen = Off
now when i go to extensions discover updates it tells me i need allow_url_fopen On. so I turned it back on and then updates are discoverable BUT this represents a security risk.
it was my understanding that the extension manager first looks for Curl... and when i look in my php settings curl is enabled... so why is this happening??
thanks
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: Curl and allow_url_fopen and joomla updates
Find a different host, your current one is not secure and does not understand security.
Proper setup will have this:
allow_url_fopen On
allow_url_include Off
Set php settings allow_url_fopen = to "On"
Make sure that allow_url_include is set to "Off" since that is the 'open house' for hackers. Hosts that do not know this simply turn everything off breaking many things as a result.
Joomla needs allow_url_fopen to be 'on' to make the upgrade work. There was discussion at one point but I don't think at this time (if ever) the extension manager will fall back to or use curl. Some hosts that turn off allow_url_fopen will also turn off curl.
No big deal as you can just download the patch, extract it, and upload with ftp, selecting overwrite all to apply the patch.
You can also upload the update package by ftp and extract it directly on the server using the domains file manager which will overwrite the changed files automatically.
Proper setup will have this:
allow_url_fopen On
allow_url_include Off
Set php settings allow_url_fopen = to "On"
Make sure that allow_url_include is set to "Off" since that is the 'open house' for hackers. Hosts that do not know this simply turn everything off breaking many things as a result.
Joomla needs allow_url_fopen to be 'on' to make the upgrade work. There was discussion at one point but I don't think at this time (if ever) the extension manager will fall back to or use curl. Some hosts that turn off allow_url_fopen will also turn off curl.
No big deal as you can just download the patch, extract it, and upload with ftp, selecting overwrite all to apply the patch.
You can also upload the update package by ftp and extract it directly on the server using the domains file manager which will overwrite the changed files automatically.
PhilD
-
- Joomla! Intern
- Posts: 92
- Joined: Fri Mar 23, 2007 6:28 pm
Re: Curl and allow_url_fopen and joomla updates
cool.. thanks for the good info!!
-
- Joomla! Apprentice
- Posts: 29
- Joined: Sat Sep 01, 2012 7:02 pm
- Contact:
Re: Curl and allow_url_fopen and joomla updates
Nice - Thanks for this tip
Top Joomla and CMS Hosting And Domains Provider In South Africa
https://www.hostking.co.za/web-hosting-south-africa
https://www.hostking.com.ng/web-hosting-nigeria
https://www.hostking.co.za/web-hosting-south-africa
https://www.hostking.com.ng/web-hosting-nigeria
- pe7er
- Joomla! Master
- Posts: 24091
- Joined: Thu Aug 18, 2005 8:55 pm
- Location: Nijmegen, Netherlands
- Contact:
Re: Curl and allow_url_fopen and joomla updates
This Joomla documentation http://docs.joomla.org/Security_Checkli ... _url_fopen statesPhilD wrote:Find a different host, your current one is not secure and does not understand security.
Proper setup will have this:
allow_url_fopen On
allow_url_include Off
Should it be changed? toDon't use PHP allow_url_fopen
Don't use PHP allow_url_include, but it's okay to use allow_url_fopen to get Joomla's One-Click-Update to work properly
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl (Renewed!) - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
Peter Martin, Global Moderator
Company website: https://db8.nl (Renewed!) - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
- leolam
- Joomla! Master
- Posts: 20521
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Curl and allow_url_fopen and joomla updates
leolam wrote:Yes it should be changed for surepe7er wrote: This Joomla documentation http://docs.joomla.org/Security_Checkli ... _url_fopen statesShould it be changed? toDon't use PHP allow_url_fopenDon't use PHP allow_url_include, but it's okay to use allow_url_fopen to get Joomla's One-Click-Update to work properly
suggestion:
Never use PHP allow_url_include which is a serious security threat, but use allow_url_fopen to get Joomla's One-Click-Update to work properly
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: Curl and allow_url_fopen and joomla updates
Ok sounds good to me. While on the page should something be done with magic quotes gpc? J3.0 requires magic quotes to be off and it (the quotes) is depreciated as of PHP 5.3.0 and removed from php as of PHP 5.4.0.
The page is not protected so it can be edited by any. I won't have time today or tomorrow, but maybe over the weekend if you want me to make the edits.
The page is not protected so it can be edited by any. I won't have time today or tomorrow, but maybe over the weekend if you want me to make the edits.
PhilD
- leolam
- Joomla! Master
- Posts: 20521
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Curl and allow_url_fopen and joomla updates
I know Phil and not lazy but simply leave it in your skillful hands.PhilD wrote: I won't have time today or tomorrow, but maybe over the weekend if you want me to make the edits.
Re. Magic quotes: something in your line probably: "Joomla advises MQ to be off in the Joomla 2.5-branch. J3.0 requires magic quotes to be off and MQ is depreciated as of launch PHP 5.3.0 (30-06-2009) and has been removed from php as of PHP 5.4.0."
Leo

Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
-
- Joomla! Guru
- Posts: 527
- Joined: Fri Aug 19, 2005 9:27 am
Re: Curl and allow_url_fopen and joomla updates
I agree. The whole reason they created allow_url_include was to give us separate control over reading remote content versus including remote content in our scripts. Now, when allow_url_fopen is off, allow_url_include is also off. But, if allow_url_include is off then there's no point in having allow_url_fopen off also IF we have good filtering is in place.
Some servers may have allow_url_fopen off because they've been around for years, went through PHP upgrades, and no one ever turned it on. Or they're just uber paranoid. Either way, I think having allow_url_fopen is perfectly safe IF you have output filtering in place (including output to a db) AND allow_url_include is off.
Splitting remote access into two distinct functions gave us the flexibility of doing things like upgrading Joomla and reading RSS feeds. There's no reason we shouldn't take advantage of it.
Some servers may have allow_url_fopen off because they've been around for years, went through PHP upgrades, and no one ever turned it on. Or they're just uber paranoid. Either way, I think having allow_url_fopen is perfectly safe IF you have output filtering in place (including output to a db) AND allow_url_include is off.
Splitting remote access into two distinct functions gave us the flexibility of doing things like upgrading Joomla and reading RSS feeds. There's no reason we shouldn't take advantage of it.
Al Warren
This ain't my first rodeo. Red Foreman says it best.
CQDX de WR5AW
This ain't my first rodeo. Red Foreman says it best.
CQDX de WR5AW
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: Curl and allow_url_fopen and joomla updates
cleaned up and corrected some stuff on the page
http://docs.joomla.org/Security_Checkli ... rver_Setup
http://docs.joomla.org/Security_Checkli ... rver_Setup
PhilD
-
- Joomla! Apprentice
- Posts: 19
- Joined: Mon Aug 08, 2011 4:03 am
Re: Curl and allow_url_fopen and joomla updates
I realise this topic is a couple of years old but assuming allow_url_fopen ON and allow_url_include OFF is still best practice, in addition to the changes made to the above link, the following links need minor updates as well (both suggest allow_url_fopen OFF is good):
1. https://docs.joomla.org/Security_and_Pe ... ensions.3F (see Bad Practices section)
2. https://docs.joomla.org/Security_and_Pe ... taccess.3F
I'm a beginner who's very thoroughly read the Security Checklist and Security and Performance FAQs and this subject confused me before reading this post.
Cheers, Rob
1. https://docs.joomla.org/Security_and_Pe ... ensions.3F (see Bad Practices section)
2. https://docs.joomla.org/Security_and_Pe ... taccess.3F
I'm a beginner who's very thoroughly read the Security Checklist and Security and Performance FAQs and this subject confused me before reading this post.
Cheers, Rob