ID: 40396 User updated by: eion at bigfoot dot com Reported By: eion at bigfoot dot com Status: Open Bug Type: cURL related Operating System: Gentoo Linux PHP Version: 4.4.4 New Comment:
Sorry, just re-read the example, which sucks. But you get the general idea. Previous Comments: ------------------------------------------------------------------------ [2007-02-08 02:40:34] eion at bigfoot dot com Description: ------------ Using cURL, there is no check for allow_url_fopen, so although file_get_contents('http://...'); doesn't work, CURLOPT_URL='http://...' does work. This could allow remote code execution. I guess this is sort of related to the cURL safe_mode bypass that was fixed in 4.4.4 (not sure if this should be sent to [EMAIL PROTECTED] tho) Reproduce code: --------------- //with allow_url_fopen off, file_get_contents doesn't work: $data = file_get_contents('http://php.net'); //with allow_url_fopen off, curl_exec does work: function file_getc($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $data = curl_exec($ch); curl_close($ch); return $data; } $data = file_getc($data); Expected result: ---------------- That both file_get_contents and curl_exec throw warnings, blocking url openings Actual result: -------------- Warning: main() [function.main]: URL file-access is disabled in the server configuration in demo.php on line 2 .... [other warnings, standard to allow_url_fopen warnings] .... [php.net website contents] ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40396&edit=1