Why does inclusion ("php: // input") not work?

Question

Why does inclusion ("php: // input") not work?

Imagine a PHP toy application is vulnerable to including an absolute local file, for example.

<?php include($_GET['action']);

I tried the following query to use it:

 POST /?action=php://input HTTP/1.1 Host: XXXXXXXXXXXXXXXXX Content-Length: 3 foo

This effectively performs include('php://input'); with the request body foo , so I expect it to print foo . However, I get the following error:

 <br /> <b>Warning</b>: include(php://input): failed to open stream: operation failed in <b>XXXXXXXXXXXXXXXXX</b> on line <b>12</b><br /> <br /> <b>Warning</b>: include(): Failed opening 'php://input' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in <b>XXXXXXXXXXXXXXXXXXX</b> on line <b>12</b><br />

What is the problem? Is this a PHP security feature? If so, can anyone point out the crucial part of the PHP source code that mitigates this?

+6

security php

Niklas B. Feb 22 '16 at 14:20

source share

1 answer

Niklas B. · Answer 1 · 2016-02-22T14:33:18+0000

I found the answer using Gustek . Apparently php://input falls under the allow_url_include constraint, whereas, for example, php://filter does not:

Limited by allow_url_include: php: // input, php: // stdin, php: // memory and php: // temp only.

Source: Documents for php:// URL handler

Why does inclusion ("php: // input") not work?

More articles: