The directive "allow_url_fopen" is a useful feature of PHP.
For example, xoopsheadline is depends on "allow_url_fopen".
If you turn "allow_url_fopen" off, you can't use xoopsheadline neither as main nor as block.
But this feature often cause serious vulnerablities in fact.
I think that "allow_url_fopen On" is a setting which should be avoided as much as "register_globals On".
Scripts using snoopy instead of fopen("http://...","r") can work under "allow_url_fopen Off".
Of course, xoopsheadline can also work under "allow_url_fopen Off" if it is modified as using snoopy.
line 62 in xoopsheadline/class/headlinerenderer.php
old:
if (!$fp = fopen($this->_hl->getVar('headline_rssurl'), 'r')) {
$this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl'));
return false;
}
$data = '';
while (!feof ($fp)) {
$data .= fgets($fp, 4096);
}
fclose ($fp);
// start of snoopy hack
$error_level_stored = error_reporting() ;
error_reporting( $error_level_stored & ~ E_NOTICE ) ;
// includes Snoopy class for remote file access
require_once(XOOPS_ROOT_PATH."/class/snoopy.php");
$snoopy = new Snoopy;
//TIMEOUT 5 second
$snoopy->read_timeout = 5; // timeout on read operations, in seconds
//URL fetch
if( ! $snoopy->fetch( $this->_hl->getVar( 'headline_rssurl' ) ) || ! $snoopy->results ) {
if (!empty($snoopy->error)) {
$this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl')."snoopy status=".$snoopy->error);
return false;
} else {
$this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl'));
return false;
}
}
$data = $snoopy->results ;
error_reporting( $error_level_stored ) ;
// end of snoopy hack
php_flag allow_url_fopen Off