php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40396 cURL can be used to bypass allow_url_fopen=off
Submitted: 2007-02-08 02:40 UTC Modified: 2007-02-08 11:40 UTC
From: eion at bigfoot dot com Assigned:
Status: Not a bug Package: cURL related
PHP Version: 4.4.4 OS: Gentoo Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: eion at bigfoot dot com
New email:
PHP Version: OS:

 

 [2007-02-08 02:40 UTC] eion at bigfoot dot com
Description:
------------
Using cURL, there is no check for allow_url_fopen, so although file_get_contents('http://...'); doesn't work, CURLOPT_URL='http://...' does work.

This could allow remote code execution.

I guess this is sort of related to the cURL safe_mode bypass that was fixed in 4.4.4

(not sure if this should be sent to security@php.net tho)

Reproduce code:
---------------
//with allow_url_fopen off, file_get_contents doesn't work:
$data = file_get_contents('http://php.net');

//with allow_url_fopen off, curl_exec does work:
function file_getc($url)
{
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_HEADER, 0);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	$data = curl_exec($ch);
	curl_close($ch);
	
	return $data;
}
$data = file_getc($data);

Expected result:
----------------
That both file_get_contents and curl_exec throw warnings, blocking url openings

Actual result:
--------------
Warning: main() [function.main]: URL file-access is disabled in the server configuration in demo.php on line 2

.... [other warnings, standard to allow_url_fopen warnings]

.... [php.net website contents]

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-08 02:43 UTC] eion at bigfoot dot com
Sorry, just re-read the example, which sucks.  But you get the general idea.
 [2007-02-08 11:40 UTC] tony2001@php.net
cURL is not fopen() and fopen() is not cURL, so there is nothing to bypass.
If you use cURL to include files, I really doubt any of existing INI settings may help you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 02 05:01:29 2024 UTC