php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #79541 Add ini option to disable URLs in getimagesize
Submitted: 2020-04-29 17:39 UTC Modified: 2020-04-29 18:30 UTC
From: mail at tomsommer dot dk Assigned:
Status: Wont fix Package: GetImageSize related
PHP Version: 7.4.5 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mail at tomsommer dot dk
New email:
PHP Version: OS:

 

 [2020-04-29 17:39 UTC] mail at tomsommer dot dk
Description:
------------
Would be great to have a php.ini-option to disable the get-URL functionality in getimagesize(), as it is often a sign of someone providing bad arguments (url instead of path).


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-04-29 17:42 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2020-04-29 17:42 UTC] requinix@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

Are you passing unvalidated input to getimagesize? If the problem is that someone is giving you a URL and you don't want them to, then the solution is to make sure that you don't let someone give you a URL.
 [2020-04-29 17:42 UTC] mail at tomsommer dot dk
Should be a separate option than allow_url_fopen
 [2020-04-29 17:42 UTC] bugreports at gmail dot com
no, the whole https://www.php.net/manual/en/wrappers.php stuff is designed in a way that it don#t matter if the path is a physical file or a supported remote file and there is no sane reason to poke special handling into random function signatures

> as it is often a sign of someone providing bad arguments (url instead of path)

you are responsible to write code with validates input as developer
 [2020-04-29 17:44 UTC] mail at tomsommer dot dk
Well, the problem is for instance Wordpress plugins where users submit URLs instead of file-paths, which goes directly into getimagesize() and thus results in a http-request (or hundreds), chaining into poor performance etc. 

I realise a solution is proper validation, but Wordpress plugins and user-code is rarely known for this. Thus as this can result in a server-problem, it would be great with a server-side toggle for it.
 [2020-04-29 17:48 UTC] bugreports at gmail dot com
> results in a http-request (or hundreds), chaining into poor performance etc.

than disable url wrappers on the server

> I realise a solution is proper validation, but Wordpress 
> plugins and user-code is rarely known for this

garbage in, garbage out

php is a programming language, you can't expect a programming language holding hands for every random "me too" developer, write bugreports for wodpress and the plugins

a programming language is supposed to do what the developer say and shouldn't holding hands - how do you expect to behave the bad code when random ini options chnage basic behavior of the underlying prigramming language?
 [2020-04-29 18:30 UTC] requinix@php.net
-Status: Feedback +Status: Wont fix
 [2020-04-29 18:30 UTC] requinix@php.net
As blunt as his replies are, I agree with him. There are many ways that someone can misuse PHP and creating settings to disable each one is not the right answer. Better coding is.

Whatever plugin or other mechanism is responsible for passing user input to getimagesize() needs to be updated to remove the vulnerability. Because that's essentially what this is: a vulnerability in the plugin. Standard practice in this situation is to give the administrator to choice of accepting all URLs or specifying a whitelist of domains to support.

allow_url_fopen is PHP's security measure for disabling unwanted remote access, even if it affects everything. More settings just makes it harder to write portable code.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 15:01:28 2024 UTC