If you have recently upgraded to PHP 5.2.x or newer and are getting an error on your site saying URL file-access is disabled in the server configuration, you may be affected by a new PHP configuration change. As of PHP 5.2.0, a new configuration directive, allow_url_include, was introduced in an effort to enhance security in file inclusion. The introduction of this directive allows an admin to keep allow_url_fopen enabled for scripts that need it, but disable remote includes for include() and require() functions.

Note: We should take a moment to point out that enabling allow_url_fopen and allow_url_include are both strongly discouraged because of the potential for inclusion of remote URLs which can then execute arbitrary code. Furthermore, enabling protection via these two directives only prevents execution of arbitrary code from common URL handlers (e.g. http: and ftp:) and not other attack vectors. For ultimate security in this regard, consider using Suhosin as per this article on the developer’s website. 

With the above in mind, if you still decide that you need to have URL file-access enabled for your includes, you will need to add the new directive to your php.ini since it is not already defined and defaults to disabled (0). On a blank line in your php.ini (/usr/local/lib/php.ini on cPanel servers), add the following:

allow_url_include = On

Restart your webserver and you’re done.



Tags: , , , , ,

Spin up a cloud server in no time flat

Simple setup. Full root access. Straightforward pricing.


DEPLOY SERVER




Leave a Reply