|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2007-02-08 02:43 UTC] eion at bigfoot dot com
[2007-02-08 11:40 UTC] tony2001@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Oct 27 23:00:01 2025 UTC |
Description: ------------ Using cURL, there is no check for allow_url_fopen, so although file_get_contents('http://...'); doesn't work, CURLOPT_URL='http://...' does work. This could allow remote code execution. I guess this is sort of related to the cURL safe_mode bypass that was fixed in 4.4.4 (not sure if this should be sent to security@php.net tho) Reproduce code: --------------- //with allow_url_fopen off, file_get_contents doesn't work: $data = file_get_contents('http://php.net'); //with allow_url_fopen off, curl_exec does work: function file_getc($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $data = curl_exec($ch); curl_close($ch); return $data; } $data = file_getc($data); Expected result: ---------------- That both file_get_contents and curl_exec throw warnings, blocking url openings Actual result: -------------- Warning: main() [function.main]: URL file-access is disabled in the server configuration in demo.php on line 2 .... [other warnings, standard to allow_url_fopen warnings] .... [php.net website contents]