Support » Requests and Feedback » Please don’t use file to access remote urls.

  • Hi all,
    Can i suggest that we don’t use the file or fopen functions to open remote urls? This is pretty much a security hole just waiting to happen. In fact, I’ve turned off allow_url_fopen to prevent such evil.
    If someone has register_globals on, there’s precious little stopping someone from redefining the variable containing the remote URL with something pleasantly malicious, or changing the url and turning every instance of b2 into a DOS bot, or stealing cookies by displaying theft code,etc, etc, etc.
    Instead I’d suggest using curl or the like to safely fetch remote content.
    e.g.
    in links.weblogs.com.php:73
    $file = safeUrlFetch($weblogs_xml_url);
    ## Safer way to fetch remote data. Less likely for someone to go and
    ## pass in a variable named $weblogs_xml_url.
    function safeUrlFetch($remoteUrl)
    {
    #check that the url begins with ‘http’
    $remoteUrl = strstr($remoteUrl,’http’);
    if (!$remoteUrl)
    {
    # It’s invalid, no soup for you.
    return [];
    }
    # fetch the data into a buffer
    $ch = curl_init($remoteUrl);
    curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
    $rawData = curl_exec($ch);
    curl_close($ch);
    # and split the data on new lines to behave like file()
    return split(“\n”,$rawData);
    }
    Granted, someone could still find some exploit with the result code, but at least this would work on sites as paranoid as I am.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Hi jrconlin,
    In the particular case you highlight, $weblogs_xml_url is defined in a ‘required’ include file, which (I understand) means it cannot be over-ridden.
    However your suggestion sounds like a good one to bear in mind.
    Thanks,
    Mike

    Moderator Matt Mullenweg

    (@matt)

    Troublemaker

    The number of people who don’t have curl support in PHP is much higher than the number of people that turn off allow_url_fopen. This way is much more flexible, if you don’t want it opening remote URLs then just set up a cron to grab the file and point the script to a local file. But like Mike said, security is not an issue in this case.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Please don’t use file to access remote urls.’ is closed to new replies.