3

Is allow_url_fopen always a security risk or only when you let others to insert URL? like when you want to set video stream links from your another server, and the only way to add new URL is from your Admin area, and the only person who have access that area is you. so have we any security risk in this situation?


For those who want to answer: please keep in mind that i have read about hundreds of blog post and questions about allow_url_fopen, and everyone keep saying that use cURL instead; i know what is the cURL and i know how to use that, and it's not the exactly same thing so forget that.

i don't ask about alternatives, i just want to know the answer of my own question.

Zargaripour
  • 33
  • 6
  • Is it possible for someone to fool the admin into adding a malicious URL? – Limit Apr 26 '18 at 16:14
  • @Limit no way. links are only acceptable from specific video streaming server. and admin of both servers are same person. actually no one except that admin knows that there is two servers. and the main reason of using `allow_url_fopen` here is hiding second server. – Zargaripour Apr 26 '18 at 16:30

1 Answers1

3

It is a security risk in the sense, that it is incredibly tricky to get right. A small mistake you may have no idea you made could compromise you. That being said, if you do actually get it correct, it should not be a security risk on its own.

I would compare it for example to Content Security Policy Header (CSP). If you don't make any mistake that would allow XSS attack, then CSP is not needed, but it is very hard to get right. So using CSP is very good to make sure and increases security a lot.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28
  • Thanks for your reply. links are only acceptable from specific video streaming server. and there is so many filters to check URL before sending it to `readfile()`. and that specific video stream server checks media type, size, duration and anything to make sure that is the real and clean video file before creating public link. could be still have any common risk? – Zargaripour Apr 26 '18 at 16:47
  • @Zargaripour For one, you should probably use https for URLs, if you are not already. Another thing is, that you will obviously fortify your readfile as if it was Fort Knox. But what about other uses of the function? What about other functions affected by that setting? Are you sure there is no function in some library which also works with files and does not check it? Because that is the real risk. Even if there is none now, will everyone modifying your code years from now remember they need to do these checks? What about library updates? – Peter Harmann Apr 26 '18 at 16:50
  • both servers are behind of https. actually, whole system works fine without `allow_url_fopen`. but the only one problem is we want to hide source links from visitors and the only use of that option is `readfile` for changing source URL to generated one on main domain. that's it. no other use. and for those problems can happen as a result of development, we can mention it in development documents as a critical areas. would be enough then? – Zargaripour Apr 26 '18 at 17:15
  • @Zargaripour As I understand it yes. But do not forget (mention it in the docs) that you not only have to be careful in your code, but any library/third party stuff running on your web server must be secured as well, and considering third-party stuff will be updated over time by a team not aware of this, it may cause problems. – Peter Harmann Apr 26 '18 at 19:02
  • Great. it's okay, because this application is on dedicated server and we have not any third party stuff in backend. thank you so much Peter – Zargaripour Apr 26 '18 at 22:55
  • @Zargaripour ok, glad to help :) – Peter Harmann Apr 26 '18 at 22:56