Please don't use file to access remote urls. (3 posts)

  1. jrconlin
    Posted 12 years ago #

    Hi all,
    Can i suggest that we don't use the file or fopen functions to open remote urls? This is pretty much a security hole just waiting to happen. In fact, I've turned off allow_url_fopen to prevent such evil.
    If someone has register_globals on, there's precious little stopping someone from redefining the variable containing the remote URL with something pleasantly malicious, or changing the url and turning every instance of b2 into a DOS bot, or stealing cookies by displaying theft code,etc, etc, etc.
    Instead I'd suggest using curl or the like to safely fetch remote content.
    in links.weblogs.com.php:73
    $file = safeUrlFetch($weblogs_xml_url);
    ## Safer way to fetch remote data. Less likely for someone to go and
    ## pass in a variable named $weblogs_xml_url.
    function safeUrlFetch($remoteUrl)
    #check that the url begins with 'http'
    $remoteUrl = strstr($remoteUrl,'http');
    if (!$remoteUrl)
    # It's invalid, no soup for you.
    return [];
    # fetch the data into a buffer
    $ch = curl_init($remoteUrl);
    $rawData = curl_exec($ch);
    # and split the data on new lines to behave like file()
    return split("\n",$rawData);
    Granted, someone could still find some exploit with the result code, but at least this would work on sites as paranoid as I am.

  2. Mike Little
    Posted 12 years ago #

    Hi jrconlin,
    In the particular case you highlight, $weblogs_xml_url is defined in a 'required' include file, which (I understand) means it cannot be over-ridden.
    However your suggestion sounds like a good one to bear in mind.

  3. Matt Mullenweg
    Posted 12 years ago #

    The number of people who don't have curl support in PHP is much higher than the number of people that turn off allow_url_fopen. This way is much more flexible, if you don't want it opening remote URLs then just set up a cron to grab the file and point the script to a local file. But like Mike said, security is not an issue in this case.

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.