Jump to content

FURL open, why such an issue?


Recommended Posts

I run a few sites, one of them requires FURL to be open. (Google Maps API Call on a wordpress blog) It would seem most service providers prefer this option set to off or not use at all due to security issues.

Why is this and what can be done to help prevent an issue? Currently the mod i'm using doesn't have any other options, it's also seems pretty common to have this feature turned on. (Correct me if I'm wrong but I believe it's required for IPB software also)

Can some explain why it's usually advised not to use this method when so commonly used?

Link to comment
Share on other sites

Rather than FURL do you mean allow_url_fopen?

It's turned off as it can be a security risk. The best replacement is to use cURL to do what you want, which most providers have enabled in its place.

The simple and quick way to do this is:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.your-call-to-google-apis.com");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$return_data = curl_exec($ch);
curl_close($ch);

cURL is very configurable and has a lot more options than just those, but that's the fast way to grab something from a URL.
Link to comment
Share on other sites

allow_url_fopen (and it's related) are not insecure by itself, there is no inherent flaw in the code that should just be fixed. It's that it can be very dangerous in the hands of inexperienced programmers on security or mistakes. curl is less open to these stupid programmer problems and thus safer. To be specific, allow_url_fopen doesn't discriminate against what kind of URLs are passed, local, network, remote, etc. So, if someone were to put in a malicious remote file in the field instead, the function would open it just the same. A smart programmer would simply check for validity of request prior to actually loading it, thus eliminating the security risk (beyond the fact that loading foreign stuff itself is rather insecure). curl is specific to remote files. So it specifically distinguishes where it should retrieve the file from.

For example:

Say you normally fetch a remote file like this...

fopen('http://example.com/somefile.xml');

But it was somehow (by hacker?) turned into...

fopen('/etc/passwd');

lol uhoh~~ bye bye passwords.

If curl was given the command to open '/etc/passwd', it would just go... What the heck?

or if the passed address was like 'example.com/somefile.xml', then fopen would look for a folder "example.com" and a file "somefile.xml" under it from current working directory.

curl would take it as domain and request as it's default protocol is http.

But security aside, curl is way faster...

So, there's virtually no reason to use fopen.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...