Security issue with binary type (ver. 3.x)?


#1

I’m currently running CakePHP 3.4.11, with sessions set to be stored in the database (MySQL). As per the CakePHP documentation, the sessions table includes a BLOB field, as in here.

I’ve found that I need to have the PHP setting allow_url_fopen set to “on” for sessions to work properly. Otherwise, I get an error on line 86 of /vendor/cakephp/cakephp/src/Database/Type/BinaryType.php along the lines of:

function.fopen: failed to open stream: no suitable wrapper could be found

And the session data isn’t retrieved from the database (which means users can’t log in, for one thing).

I’d prefer not to enable allow_url_fopen as it’s a security risk, but I can’t see a simple workaround, so long as I’m using database sessions. Has anyone else come across this and found a solution?

In general, it looks as though allow_url_fopen has to be enabled for cakephp 3 to handle binary data from most databases, which isn’t ideal.

Although I’m running CakePHP 3.4.11, I can see the issue still exists in 3.4.12 and 3.5.

Thanks for your help!