Jump to content

Recommended Posts

Recently I wanted to use simplexml_load_file in order to retrieve xml data from an external source at one of my web accounts. However, the hosting company in question does not allow external file access via simplexml_load_file or file_get_contents for security reasons but they do on the other hand allow it via cURL which worked just fine. What is the difference really when it comes to security?

Link to comment
https://forums.phpfreaks.com/topic/169846-retrieve-external-url-security-question/
Share on other sites

simplexml_load_file or file_get_contents both use the allow_url_fopen directive, which while ON allows remote files to be include'd and/or require'd this is a security problem if someone include a script from a remote source.. to stop the remote include/require the allow_url_fopen directive is turned off that also turns off the remote options for function like fopen, simplexml_load_file and file_get_contents

Yes and No..

you could compile your own version of PHP and write the changes but i wouldn't recommend it,

 

other than that no, all the functions use the same wrapper, (one connection routine fits all)

if allow_url_fopen is ON then you can use remote files otherwise you can't,

 

however lets try something different, why not create a fsocket function that does what file_get_contents does

ie

<?php
$url = "www.apple.com";

$fp = fsockopen($url, 80, $errno, $errstr, 30);

if (!$fp) {
    echo "$errstr ($errno)<br />\n";
} else {
    $out = "GET / HTTP/1.1\r\n";
    $out .= "Host: ".$_SERVER['SERVER_NAME']."\r\n";
    $out .= "Connection: Close\r\n\r\n";
    fwrite($fp, $out);
    $data = "";
    $get = false;
    while (!feof($fp)) {
    	$tmp = fgets($fp, 128);
        $data .= ($get)?$tmp:"";
        if($tmp=="\r\n") $get =true;
    }
    echo $data;
    fclose($fp);
}
?>

Sorry read the question wrong, though you wanted allow_url_fopen Off and wanted include

allow_url_include will stop just include and require

 

as a note: if allow_url_include is ON it will fail unless allow_url_fopen is also ON

No problem. The question in the first place was really whether there would be any difference security-wise if you would allow external file access via allow_url_fopen (simplexml and file_get_contents) without the possibility to include external files on one side or CURL on the other?

Did you read my link? It explains the vulnerabilities pretty well. Basically, as long as you carefully sanitize any user input (if any) to be used with the functions in question (including cURL), you'll be fine. A common example of how it can go wrong:

 

<?php
//this is the main script where we include different pages, depending on $_GET['page']
include($_GET['page']);
?>

 

That's obviously (for some) a really bad idea, since $_GET['page'] can be set by the user to the URL of a malicious script. The way it should be done:

 

<?php
//this is the main script where we include different pages, depending on $_GET['page']
//define array of allowed pages
$allowed = array('home', 'php', 'about');
//if the page is allowed, include it, else include an error page
if (in_array($_GET['page'], $allowed)) {
   include($_GET['page'] . '.php');
} else {
   include('errorpage.php');
}
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.