OrahChris Posted October 26, 2012 Share Posted October 26, 2012 I run a few sites, one of them requires FURL to be open. (Google Maps API Call on a wordpress blog) It would seem most service providers prefer this option set to off or not use at all due to security issues. Why is this and what can be done to help prevent an issue? Currently the mod i'm using doesn't have any other options, it's also seems pretty common to have this feature turned on. (Correct me if I'm wrong but I believe it's required for IPB software also) Can some explain why it's usually advised not to use this method when so commonly used? Link to comment Share on other sites More sharing options...
PeterUK Posted October 27, 2012 Share Posted October 27, 2012 Rather than FURL do you mean allow_url_fopen?It's turned off as it can be a security risk. The best replacement is to use cURL to do what you want, which most providers have enabled in its place.The simple and quick way to do this is:$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://www.your-call-to-google-apis.com"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $return_data = curl_exec($ch); curl_close($ch);cURL is very configurable and has a lot more options than just those, but that's the fast way to grab something from a URL. Link to comment Share on other sites More sharing options...
OrahChris Posted October 27, 2012 Author Share Posted October 27, 2012 Would this still be placed in the php.ini file? So if I understand this correctly, allow_url_fopen essentially allows any script to pull something from a 3rd party, where as cURL is more of a case by case basis? Link to comment Share on other sites More sharing options...
Grumpy Posted October 27, 2012 Share Posted October 27, 2012 allow_url_fopen (and it's related) are not insecure by itself, there is no inherent flaw in the code that should just be fixed. It's that it can be very dangerous in the hands of inexperienced programmers on security or mistakes. curl is less open to these stupid programmer problems and thus safer. To be specific, allow_url_fopen doesn't discriminate against what kind of URLs are passed, local, network, remote, etc. So, if someone were to put in a malicious remote file in the field instead, the function would open it just the same. A smart programmer would simply check for validity of request prior to actually loading it, thus eliminating the security risk (beyond the fact that loading foreign stuff itself is rather insecure). curl is specific to remote files. So it specifically distinguishes where it should retrieve the file from. For example: Say you normally fetch a remote file like this... fopen('http://example.com/somefile.xml'); But it was somehow (by hacker?) turned into... fopen('/etc/passwd'); lol uhoh~~ bye bye passwords. If curl was given the command to open '/etc/passwd', it would just go... What the heck? or if the passed address was like 'example.com/somefile.xml', then fopen would look for a folder "example.com" and a file "somefile.xml" under it from current working directory. curl would take it as domain and request as it's default protocol is http. But security aside, curl is way faster... So, there's virtually no reason to use fopen. Link to comment Share on other sites More sharing options...
OrahChris Posted October 27, 2012 Author Share Posted October 27, 2012 ahh that makes a lot of sense! Understanding how it works actually makes me shudder a bit. Allow_url_fopen is a temporary solution at best and I will definitely be changing to curl instead. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.