Curl and allow_url_fopen and joomla updates

[Minnie Mouse]

hi,
so i have a bunch of staged 2.5 sites on a server while i build them. recently i had a malware incident on a site and my host added this (and more) to the php.ini file
allow_url_fopen = Off

now when i go to extensions discover updates it tells me i need allow_url_fopen On. so I turned it back on and then updates are discoverable BUT this represents a security risk.

it was my understanding that the extension manager first looks for Curl... and when i look in my php settings curl is enabled... so why is this happening??

thanks

[PhilD]

Find a different host, your current one is not secure and does not understand security.

Proper setup will have this:
allow_url_fopen On
allow_url_include Off

Set php settings allow_url_fopen = to "On"

Make sure that allow_url_include is set to "Off" since that is the 'open house' for hackers. Hosts that do not know this simply turn everything off breaking many things as a result.

Joomla needs allow_url_fopen to be 'on' to make the upgrade work. There was discussion at one point but I don't think at this time (if ever) the extension manager will fall back to or use curl. Some hosts that turn off allow_url_fopen will also turn off curl.

No big deal as you can just download the patch, extract it, and upload with ftp, selecting overwrite all to apply the patch.

You can also upload the update package by ftp and extract it directly on the server using the domains file manager which will overwrite the changed files automatically.

[Minnie Mouse]

cool.. thanks for the good info!!

[hostking]

Nice - Thanks for this tip

[pe7er]

Find a different host, your current one is not secure and does not understand security.

Proper setup will have this:
allow_url_fopen On
allow_url_include Off

This Joomla documentation http://docs.joomla.org/Security_Checkli ... _url_fopen states

Don't use PHP allow_url_fopen

Should it be changed? to

Don't use PHP allow_url_include, but it's okay to use allow_url_fopen to get Joomla's One-Click-Update to work properly

[leolam]

This Joomla documentation http://docs.joomla.org/Security_Checkli ... _url_fopen states

Don't use PHP allow_url_fopen

Should it be changed? to

Don't use PHP allow_url_include, but it's okay to use allow_url_fopen to get Joomla's One-Click-Update to work properly

Yes it should be changed for sure

suggestion:

Never use PHP allow_url_include which is a serious security threat, but use allow_url_fopen to get Joomla's One-Click-Update to work properly

Leo

[PhilD]

Ok sounds good to me. While on the page should something be done with magic quotes gpc? J3.0 requires magic quotes to be off and it (the quotes) is depreciated as of PHP 5.3.0 and removed from php as of PHP 5.4.0.

The page is not protected so it can be edited by any. I won't have time today or tomorrow, but maybe over the weekend if you want me to make the edits.

[leolam]

I won't have time today or tomorrow, but maybe over the weekend if you want me to make the edits.

I know Phil and not lazy but simply leave it in your skillful hands.

Re. Magic quotes: something in your line probably: "Joomla advises MQ to be off in the Joomla 2.5-branch. J3.0 requires magic quotes to be off and MQ is depreciated as of launch PHP 5.3.0 (30-06-2009) and has been removed from php as of PHP 5.4.0."

Leo

[PhilD]

Sure that's fine

[alwarren]

I agree. The whole reason they created allow_url_include was to give us separate control over reading remote content versus including remote content in our scripts. Now, when allow_url_fopen is off, allow_url_include is also off. But, if allow_url_include is off then there's no point in having allow_url_fopen off also IF we have good filtering is in place.

Some servers may have allow_url_fopen off because they've been around for years, went through PHP upgrades, and no one ever turned it on. Or they're just uber paranoid. Either way, I think having allow_url_fopen is perfectly safe IF you have output filtering in place (including output to a db) AND allow_url_include is off.

Splitting remote access into two distinct functions gave us the flexibility of doing things like upgrading Joomla and reading RSS feeds. There's no reason we shouldn't take advantage of it.

[PhilD]

cleaned up and corrected some stuff on the page
http://docs.joomla.org/Security_Checkli ... rver_Setup

[killerkoz]

I realise this topic is a couple of years old but assuming allow_url_fopen ON and allow_url_include OFF is still best practice, in addition to the changes made to the above link, the following links need minor updates as well (both suggest allow_url_fopen OFF is good):

1. https://docs.joomla.org/Security_and_Pe ... ensions.3F (see Bad Practices section)
2. https://docs.joomla.org/Security_and_Pe ... taccess.3F

I'm a beginner who's very thoroughly read the Security Checklist and Security and Performance FAQs and this subject confused me before reading this post.

Cheers, Rob