Support » Requests and Feedback » Please don’t use file to access remote urls.

  • Hi all,
    Can i suggest that we don’t use the file or fopen functions to open remote urls? This is pretty much a security hole just waiting to happen. In fact, I’ve turned off allow_url_fopen to prevent such evil.
    If someone has register_globals on, there’s precious little stopping someone from redefining the variable containing the remote URL with something pleasantly malicious, or changing the url and turning every instance of b2 into a DOS bot, or stealing cookies by displaying theft code,etc, etc, etc.
    Instead I’d suggest using curl or the like to safely fetch remote content.
    $file = safeUrlFetch($weblogs_xml_url);
    ## Safer way to fetch remote data. Less likely for someone to go and
    ## pass in a variable named $weblogs_xml_url.
    function safeUrlFetch($remoteUrl)
    #check that the url begins with ‘http’
    $remoteUrl = strstr($remoteUrl,’http’);
    if (!$remoteUrl)
    # It’s invalid, no soup for you.
    return [];
    # fetch the data into a buffer
    $ch = curl_init($remoteUrl);
    $rawData = curl_exec($ch);
    # and split the data on new lines to behave like file()
    return split(“\n”,$rawData);
    Granted, someone could still find some exploit with the result code, but at least this would work on sites as paranoid as I am.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Hi jrconlin,
    In the particular case you highlight, $weblogs_xml_url is defined in a ‘required’ include file, which (I understand) means it cannot be over-ridden.
    However your suggestion sounds like a good one to bear in mind.

    Moderator Matt Mullenweg



    The number of people who don’t have curl support in PHP is much higher than the number of people that turn off allow_url_fopen. This way is much more flexible, if you don’t want it opening remote URLs then just set up a cron to grab the file and point the script to a local file. But like Mike said, security is not an issue in this case.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Please don’t use file to access remote urls.’ is closed to new replies.