php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40396 cURL can be used to bypass allow_url_fopen=off
Submitted: 2007-02-08 02:40 UTC Modified: 2007-02-08 11:40 UTC
From: eion at bigfoot dot com Assigned:
Status: Not a bug Package: cURL related
PHP Version: 4.4.4 OS: Gentoo Linux
Private report: No CVE-ID: None
 [2007-02-08 02:40 UTC] eion at bigfoot dot com
Description:
------------
Using cURL, there is no check for allow_url_fopen, so although file_get_contents('http://...'); doesn't work, CURLOPT_URL='http://...' does work.

This could allow remote code execution.

I guess this is sort of related to the cURL safe_mode bypass that was fixed in 4.4.4

(not sure if this should be sent to security@php.net tho)

Reproduce code:
---------------
//with allow_url_fopen off, file_get_contents doesn't work:
$data = file_get_contents('http://php.net');

//with allow_url_fopen off, curl_exec does work:
function file_getc($url)
{
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_HEADER, 0);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	$data = curl_exec($ch);
	curl_close($ch);
	
	return $data;
}
$data = file_getc($data);

Expected result:
----------------
That both file_get_contents and curl_exec throw warnings, blocking url openings

Actual result:
--------------
Warning: main() [function.main]: URL file-access is disabled in the server configuration in demo.php on line 2

.... [other warnings, standard to allow_url_fopen warnings]

.... [php.net website contents]

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-08 02:43 UTC] eion at bigfoot dot com
Sorry, just re-read the example, which sucks.  But you get the general idea.
 [2007-02-08 11:40 UTC] tony2001@php.net
cURL is not fopen() and fopen() is not cURL, so there is nothing to bypass.
If you use cURL to include files, I really doubt any of existing INI settings may help you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 11 15:01:27 2024 UTC