ID: 40396
User updated by: eion at bigfoot dot com
Reported By: eion at bigfoot dot com
Status: Open
Bug Type: cURL related
Operating System: Gentoo Linux
PHP Version: 4.4.4
New Comment:
Sorry, just re-read the example, which sucks. But you get the general
idea.
Previous Comments:
------------------------------------------------------------------------
[2007-02-08 02:40:34] eion at bigfoot dot com
Description:
------------
Using cURL, there is no check for allow_url_fopen, so although
file_get_contents('http://...'); doesn't work, CURLOPT_URL='http://...'
does work.
This could allow remote code execution.
I guess this is sort of related to the cURL safe_mode bypass that was
fixed in 4.4.4
(not sure if this should be sent to [EMAIL PROTECTED] tho)
Reproduce code:
---------------
//with allow_url_fopen off, file_get_contents doesn't work:
$data = file_get_contents('http://php.net');
//with allow_url_fopen off, curl_exec does work:
function file_getc($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
$data = file_getc($data);
Expected result:
----------------
That both file_get_contents and curl_exec throw warnings, blocking url
openings
Actual result:
--------------
Warning: main() [function.main]: URL file-access is disabled in the
server configuration in demo.php on line 2
.... [other warnings, standard to allow_url_fopen warnings]
.... [php.net website contents]
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=40396&edit=1
