Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
OrahChris Posted October 26, 2012 Posted October 26, 2012 I run a few sites, one of them requires FURL to be open. (Google Maps API Call on a wordpress blog) It would seem most service providers prefer this option set to off or not use at all due to security issues. Why is this and what can be done to help prevent an issue? Currently the mod i'm using doesn't have any other options, it's also seems pretty common to have this feature turned on. (Correct me if I'm wrong but I believe it's required for IPB software also) Can some explain why it's usually advised not to use this method when so commonly used?
PeterUK Posted October 27, 2012 Posted October 27, 2012 Rather than FURL do you mean allow_url_fopen?It's turned off as it can be a security risk. The best replacement is to use cURL to do what you want, which most providers have enabled in its place.The simple and quick way to do this is:$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://www.your-call-to-google-apis.com"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $return_data = curl_exec($ch); curl_close($ch);cURL is very configurable and has a lot more options than just those, but that's the fast way to grab something from a URL.
OrahChris Posted October 27, 2012 Author Posted October 27, 2012 Would this still be placed in the php.ini file? So if I understand this correctly, allow_url_fopen essentially allows any script to pull something from a 3rd party, where as cURL is more of a case by case basis?
Grumpy Posted October 27, 2012 Posted October 27, 2012 allow_url_fopen (and it's related) are not insecure by itself, there is no inherent flaw in the code that should just be fixed. It's that it can be very dangerous in the hands of inexperienced programmers on security or mistakes. curl is less open to these stupid programmer problems and thus safer. To be specific, allow_url_fopen doesn't discriminate against what kind of URLs are passed, local, network, remote, etc. So, if someone were to put in a malicious remote file in the field instead, the function would open it just the same. A smart programmer would simply check for validity of request prior to actually loading it, thus eliminating the security risk (beyond the fact that loading foreign stuff itself is rather insecure). curl is specific to remote files. So it specifically distinguishes where it should retrieve the file from. For example: Say you normally fetch a remote file like this... fopen('http://example.com/somefile.xml'); But it was somehow (by hacker?) turned into... fopen('/etc/passwd'); lol uhoh~~ bye bye passwords. If curl was given the command to open '/etc/passwd', it would just go... What the heck? or if the passed address was like 'example.com/somefile.xml', then fopen would look for a folder "example.com" and a file "somefile.xml" under it from current working directory. curl would take it as domain and request as it's default protocol is http. But security aside, curl is way faster... So, there's virtually no reason to use fopen.
OrahChris Posted October 27, 2012 Author Posted October 27, 2012 ahh that makes a lot of sense! Understanding how it works actually makes me shudder a bit. Allow_url_fopen is a temporary solution at best and I will definitely be changing to curl instead.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.