allow_url_fopen is a big security risk. For our safety and yours, it cannot and will not be enabled.
Of course, the
allow_url_fopensetting also carries a separate risk of enabling Remote File Execution, Access Control Bypass or Information Disclosure attacks. If an attacker can inject a remote URI of their choosing into a file function they could manipulate an application into executing, storing or displaying the fetched file including those from any untrusted remote source. It’s also worth bearing in mind that such file fetches would originate from localhost and thus be capable of bypassing access controls based on local server restrictions. As such, whileallow_url_fopenis enabled by default, you should disable it without hesitation to maximise security.
Please ask the developers of your software to fix their code to not have to rely on security risks.