WordPress.org

Ready to get started?Download WordPress

Forums

Please don't use file to access remote urls. (3 posts)

  1. jrconlin
    Member
    Posted 10 years ago #

    Hi all,
    Can i suggest that we don't use the file or fopen functions to open remote urls? This is pretty much a security hole just waiting to happen. In fact, I've turned off allow_url_fopen to prevent such evil.
    If someone has register_globals on, there's precious little stopping someone from redefining the variable containing the remote URL with something pleasantly malicious, or changing the url and turning every instance of b2 into a DOS bot, or stealing cookies by displaying theft code,etc, etc, etc.
    Instead I'd suggest using curl or the like to safely fetch remote content.
    e.g.
    in links.weblogs.com.php:73
    $file = safeUrlFetch($weblogs_xml_url);
    ## Safer way to fetch remote data. Less likely for someone to go and
    ## pass in a variable named $weblogs_xml_url.
    function safeUrlFetch($remoteUrl)
    {
    #check that the url begins with 'http'
    $remoteUrl = strstr($remoteUrl,'http');
    if (!$remoteUrl)
    {
    # It's invalid, no soup for you.
    return [];
    }
    # fetch the data into a buffer
    $ch = curl_init($remoteUrl);
    curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
    $rawData = curl_exec($ch);
    curl_close($ch);
    # and split the data on new lines to behave like file()
    return split("\n",$rawData);
    }
    Granted, someone could still find some exploit with the result code, but at least this would work on sites as paranoid as I am.

  2. Mike Little
    Member
    Posted 10 years ago #

    Hi jrconlin,
    In the particular case you highlight, $weblogs_xml_url is defined in a 'required' include file, which (I understand) means it cannot be over-ridden.
    However your suggestion sounds like a good one to bear in mind.
    Thanks,
    Mike

  3. Matt Mullenweg
    Troublemaker
    Posted 10 years ago #

    The number of people who don't have curl support in PHP is much higher than the number of people that turn off allow_url_fopen. This way is much more flexible, if you don't want it opening remote URLs then just set up a cron to grab the file and point the script to a local file. But like Mike said, security is not an issue in this case.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.