Retrieve external url - security question

[vineld]

Recently I wanted to use simplexml_load_file in order to retrieve xml data from an external source at one of my web accounts. However, the hosting company in question does not allow external file access via simplexml_load_file or file_get_contents for security reasons but they do on the other hand allow it via cURL which worked just fine. What is the difference really when it comes to security?

[thebadbad]

Have a read here: http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html

[MadTechie]

simplexml_load_file or file_get_contents both use the allow_url_fopen directive, which while ON allows remote files to be include'd and/or require'd this is a security problem if someone include a script from a remote source.. to stop the remote include/require the allow_url_fopen directive is turned off that also turns off the remote options for function like fopen, simplexml_load_file and file_get_contents

[vineld]

It is possible to disallow url access for include / require even if allow_url_fopen is on.

[MadTechie]

Yes and No..

you could compile your own version of PHP and write the changes but i wouldn't recommend it,

 

other than that no, all the functions use the same wrapper, (one connection routine fits all)

if allow_url_fopen is ON then you can use remote files otherwise you can't,

 

however lets try something different, why not create a fsocket function that does what file_get_contents does

ie

<?php
$url = "www.apple.com";

$fp = fsockopen($url, 80, $errno, $errstr, 30);

if (!$fp) {
    echo "$errstr ($errno)<br />\n";
} else {
    $out = "GET / HTTP/1.1\r\n";
    $out .= "Host: ".$_SERVER['SERVER_NAME']."\r\n";
    $out .= "Connection: Close\r\n\r\n";
    fwrite($fp, $out);
    $data = "";
    $get = false;
    while (!feof($fp)) {
    	$tmp = fgets($fp, 128);
        $data .= ($get)?$tmp:"";
        if($tmp=="\r\n") $get =true;
    }
    echo $data;
    fclose($fp);
}
?>

[vineld]

Are you sure about that? Another hosting company I use has allow_url_fopen on although it is not possible to access external urls via require and include.

[MadTechie]

Sorry read the question wrong, though you wanted allow_url_fopen Off and wanted include

allow_url_include will stop just include and require

 

as a note: if allow_url_include is ON it will fail unless allow_url_fopen is also ON

[vineld]

No problem. The question in the first place was really whether there would be any difference security-wise if you would allow external file access via allow_url_fopen (simplexml and file_get_contents) without the possibility to include external files on one side or CURL on the other?

[thebadbad]

Did you read my link? It explains the vulnerabilities pretty well. Basically, as long as you carefully sanitize any user input (if any) to be used with the functions in question (including cURL), you'll be fine. A common example of how it can go wrong:

 

<?php
//this is the main script where we include different pages, depending on $_GET['page']
include($_GET['page']);
?>

 

That's obviously (for some) a really bad idea, since $_GET['page'] can be set by the user to the URL of a malicious script. The way it should be done:

 

<?php
//this is the main script where we include different pages, depending on $_GET['page']
//define array of allowed pages
$allowed = array('home', 'php', 'about');
//if the page is allowed, include it, else include an error page
if (in_array($_GET['page'], $allowed)) {
   include($_GET['page'] . '.php');
} else {
   include('errorpage.php');
}
?>

[vineld]

Now you're talking about include / require once again which was not what I was asking about...