NYCPHP Meetup

NYPHP.org

[nycphp-talk] Retrieving remote files-- caution

jon baer jonbaer at jonbaer.net
Sun Sep 7 07:13:40 EDT 2003


Thanks for pointing this out since I always use the function... it would be
nice to see some type of basic security policy for PHP in regards to certain
methods like these ... most languages go by the notion that "bytes are
bytes" no matter where u get them from, but it would be safer to define
walls for certain "dangerous methods" + include them in php.ini for better
safekeeping.  I always thought it would be nice to do something like what
you did beyond a policy that was saying "you can do this" "you can't do
that", like in Java + instead have security handlers instead ... for example
a policy would maybe be like: file_get_contents.allow or
file_get_contents.deny but instead allow a security handler to check params
globally ... file_get_contents.handler = (some method to check w/ first) ...

- Jon

----- Original Message -----
From: "Chris Snyder" <csnyder at chxo.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Sunday, September 07, 2003 12:13 AM
Subject: [nycphp-talk] Retrieving remote files-- caution


> Learned a lesson tonight...
>
> If you're going to use file_get_contents() (or any function with fopen
> wrappers) to allow users to import a file from some other website,
> always check to make sure that the supplied url starts with "http://"
> and not, say, "/etc".
>
> function url_get_contents ( $url ) {
>     $array= parse_url($url);
>     if ( $array['scheme']=='http' || $array['scheme']=='ftp' ) {
>         return file_get_contents($url);
>     }else {
>         return 0;
>     }
> }
>
> I used to always use fsockopen for this, but file_get_contents seemed so
> easy by comparison -- except for the part where it was really built to
> handle local files. Doh!
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>




More information about the talk mailing list