The risk of PHP opening remote files

PHP has a configuration option called Allow_url_fopen, Venetian Casino This option is valid by default. It allows you to point to many types of resources and handle them like local files. For example, by reading a URL you can get the content of a page (HTML):

<?php$contents = file_get_contents (' http://www.nowamagic.net/');? >

When contaminated data is used for include and require file pointing, a serious vulnerability is created. In fact, I think this vulnerability is one of the most dangerous vulnerabilities in PHP applications because it allows an attacker to execute arbitrary code. Although the severity is almost at the level, a similar vulnerability arises when the contaminated data is used in a standard file system function:

<?php$contents = file_get_contents ($_get[' filename ');? >

This example enables the user to manipulate the behavior of the file_get_contents () so that it obtains the contents of the remote resource. Consider a request similar to the following:

Http://example.org/file.php?file ... mple.org%2fxss.html

This leads to a situation where the value of the $content is contaminated, and because this value is obtained indirectly, it is possible to overlook this fact. This is also the depth of defense principle will regard the file system as a remote data source, but also depending on the value of $content as input, so that your filtering mechanism will potentially play a role in the future.

Because the $content value is contaminated, it can lead to multiple security vulnerabilities, including cross-site scripting vulnerabilities and SQL injection vulnerabilities. For example, here is an example of a cross-site scripting vulnerability:

<?php$contents = file_get_contents ($_get[' filename '); echo $contents;? >

The solution is never to use contaminated data to point to a file name. Keep filtering the input and be sure to filter the data before it points to a file name:

<?php$clean = Array ();/* Filter Input ($_get[' filename ') */$contents = file_get_contents ($clean [' filename ']);? >

Although there is no guarantee that the data in the $content is completely free, there is a reasonable guarantee that the file you are reading is the one you want to read, not the attacker's designation. To enhance the security of this process, you also need to think of $content as input and filter it before use.

<?php$clean = Array (), $html = Array (),/* Filter Input ($_get[' filename ') */$contents = file_get_contents ($clean [' FileName ']);/* Filter Input ($contents) */$html [' contents '] = htmlentities ($clean [' contents '], ent_quotes, ' UTF-8 '); echo $html [' contents '];? >

The above process provides a powerful way to protect against multiple attacks, and is recommended for practical programming.

The risk of PHP opening remote files