KTanAug21
commented
1 month ago Personally I like to keep it off by default.
Also is there an official PHP image? What is the default value there?
Hi @kzys ! Thank you so much for looking into this PR!
-
There is an official PHP image. Its repository, pulls official php distributions
-
The latest distribution from the repository, uses a php.ini-production file that has allow_url_fopen turned on.
WHAT AND WHY: Include a flag for turning on/off the allow_url_fopen configuration directive. This will make it easier for users extending the laravel-docker image to turn it off/on. i.e: This was requested to be turned off for the Dockerfile generated by dockerfile-laravel, for improving security of apps deployed with it(This may allow remote script execution!).
HOW: Include another php_admin_value in the www.config file that sets the value for allow_url_fopen, and set the default value in Dockerfile and Dockerfile-unit templates. The default value would be "Off" to remove the security risk.
Helpful discussion Which would be a better default value, 1 or 0? I'm afraid that this setting might override any user-setting config file, i.e. htaccess, php.ini file. So in that thought, it would be more secure to use 0 as default value, as selecting 1( even though it's the default value set in the php.ini file ) would be re-introducing a security risk the user has already turned off. But! I'm going to try and check if it indeed overrides any user config file