{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Root(大扎) 的问题《Is allow_url_fopen safe? [duplicate]》','https://www.manongdao.com/q-221045.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
This question already has an answer here:
- Should I allow 'allow_url_fopen' in PHP? 5 answers
I am currently using file_get_contents() to get the title of a webpage, given the URL. On wamp, this works perfectly fine. However, when I shifted this to my web server, I came across a problem which lead me to this answer. (Which is to set allow_url_fopen to 1).
Is there a major security risk in setting this on? If yes, are there any alternate ways to grab the title of a webpage from the URL itself?
(Also, unsure of tags for this so please feel free to add/remove if appropriate!)
Edit (1) : Further research lead me to this question, which pretty much says that it is a risk as well, and to disable it if the application does not need it. Unfortunately this does not tell me enough about the risk involved.
Edit (2) : Quick note, I will be using this function with user input (the URL), and not internally, which is why I want to ensure there is absolutely no security risk involved
This is just one reason why you may want
allow_url_fopenset to 0Let's say you allow users to enter a url, and you have your server fetch this url.
You might code something like this: - YOU SHOULD NOT CODE THIS -
Problem is that there is a security issue here. Somebody could pass a file path instead of a url and have access to your server's files.
For example, somebody might pass
/etc/passwdas a url, and be able to view its contents.Now, if
allow_url_fopenwere set to 0, you wouldn't be usingfile_get_contentsto fetch URL's, you would be using CURL.allow_url_fopenis fine. If you need the feature, enable it. There are better tools out there for loading data from remote URLs (like the curl extension), but it's good enough for some simple use cases.Its close relative,
allow_url_include, is not safe. It allows functions likeinclude()andrequire()to load and run code from remote URLs, which is a really bad idea. Leave that one turned off.In the past,
allow_url_includedidn't always exist as a distinct option, so it was necessary to turnallow_url_fopenoff to prevent badly written scripts from including data from remote URLs. That's no longer the case, though.