From: eion at bigfoot dot com Operating system: Gentoo Linux PHP version: 4.4.4 PHP Bug Type: cURL related Bug description: cURL can be used to bypass allow_url_fopen=off
Description: ------------ Using cURL, there is no check for allow_url_fopen, so although file_get_contents('http://...'); doesn't work, CURLOPT_URL='http://...' does work. This could allow remote code execution. I guess this is sort of related to the cURL safe_mode bypass that was fixed in 4.4.4 (not sure if this should be sent to [EMAIL PROTECTED] tho) Reproduce code: --------------- //with allow_url_fopen off, file_get_contents doesn't work: $data = file_get_contents('http://php.net'); //with allow_url_fopen off, curl_exec does work: function file_getc($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $data = curl_exec($ch); curl_close($ch); return $data; } $data = file_getc($data); Expected result: ---------------- That both file_get_contents and curl_exec throw warnings, blocking url openings Actual result: -------------- Warning: main() [function.main]: URL file-access is disabled in the server configuration in demo.php on line 2 .... [other warnings, standard to allow_url_fopen warnings] .... [php.net website contents] -- Edit bug report at http://bugs.php.net/?id=40396&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=40396&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=40396&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=40396&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=40396&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=40396&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=40396&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=40396&r=needscript Try newer version: http://bugs.php.net/fix.php?id=40396&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=40396&r=support Expected behavior: http://bugs.php.net/fix.php?id=40396&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=40396&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=40396&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=40396&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40396&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=40396&r=dst IIS Stability: http://bugs.php.net/fix.php?id=40396&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=40396&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=40396&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=40396&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=40396&r=mysqlcfg