|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40396 cURL can be used to bypass allow_url_fopen=off
Submitted: 2007-02-08 02:40 UTC Modified: 2007-02-08 11:40 UTC
From: eion at bigfoot dot com Assigned:
Status: Not a bug Package: cURL related
PHP Version: 4.4.4 OS: Gentoo Linux
Private report: No CVE-ID: None
 [2007-02-08 02:40 UTC] eion at bigfoot dot com
Using cURL, there is no check for allow_url_fopen, so although file_get_contents('http://...'); doesn't work, CURLOPT_URL='http://...' does work.

This could allow remote code execution.

I guess this is sort of related to the cURL safe_mode bypass that was fixed in 4.4.4

(not sure if this should be sent to tho)

Reproduce code:
//with allow_url_fopen off, file_get_contents doesn't work:
$data = file_get_contents('');

//with allow_url_fopen off, curl_exec does work:
function file_getc($url)
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_HEADER, 0);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	$data = curl_exec($ch);
	return $data;
$data = file_getc($data);

Expected result:
That both file_get_contents and curl_exec throw warnings, blocking url openings

Actual result:
Warning: main() [function.main]: URL file-access is disabled in the server configuration in demo.php on line 2

.... [other warnings, standard to allow_url_fopen warnings]

.... [ website contents]


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-08 02:43 UTC] eion at bigfoot dot com
Sorry, just re-read the example, which sucks.  But you get the general idea.
 [2007-02-08 11:40 UTC]
cURL is not fopen() and fopen() is not cURL, so there is nothing to bypass.
If you use cURL to include files, I really doubt any of existing INI settings may help you.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Mar 02 21:01:24 2021 UTC