Re: Making reading files from remote URL's more secure

From: Ferenc Kovacs Date: Sun, 11 Apr 2010 16:28:25 +0000

Subject: Re: Making reading files from remote URL's more secure

References: 1 Groups: php.internals

Request: Send a blank email to internals+get-47871@lists.php.net to get a copy of this message

On Sun, Apr 11, 2010 at 6:23 PM, Keith Roberts <keith@karsites.net> wrote:

> Hi all.
>
> I've been reading about the security implications of turning
> allow_url_fopen 'on' for certain PHP applications that need to read files
> from a remote URL.
>
> To recap, please read this old article about Remote file inclusion
> vulnerabilities: http://lwn.net/Articles/203904/
>
> I'm just wondering if the ability to read files from a remote URL could be
> moved into a set of functions dedicated to that purpose alone? Then remove
> the URL reading ability from the standard file reading functions, to make
> those more secure?
>
> The new set of remote file reading functions could be prefixed with 'url_'.
>
> This would make it easier to distinguish between the local file reading
> functions, and those that read from remote URL's.
>
> So the normal fopen() function would only work on files locally, regardless
> of whether allow_url_open was turned on.
>
> This would be a great step.... backward.

Tyrael

Thread (3 messages)

Keith RobertsSun, 11 Apr 2010 16:23:04 +0000
Ferenc KovacsSun, 11 Apr 2010 16:28:25 +0000
Ferenc KovacsSun, 11 Apr 2010 16:40:09 +0000

« previous	php.internals (#47871)	next »

From:	Ferenc Kovacs	Date:	Sun, 11 Apr 2010 16:28:25 +0000
Subject:	Re: Making reading files from remote URL's more secure
References:	1	Groups:	php.internals
Request:	Send a blank email to internals+get-47871@lists.php.net to get a copy of this message