XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. Xoops Development / 
  3. Xoops Development 
  4.  / Say good-bye to allow_url_fopen
Register
1
GIJOE
Say good-bye to allow_url_fopen

  • 2004/7/21 7:48

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


The directive "allow_url_fopen" is a useful feature of PHP.
For example, xoopsheadline is depends on "allow_url_fopen".
If you turn "allow_url_fopen" off, you can't use xoopsheadline neither as main and nor as block.

But this feature often cause serious vulnerablities in fact.
I think that "allow_url_fopen On" is a setting which should be avoided as much as "register_globals On".

Scripts using snoopy instead of fopen("http://...","r") can work under "allow_url_fopen Off".
Of course, xoopsheadline can also work under "allow_url_fopen Off" if it is modified as using snoopy.

line 62 in xoopsheadline/class/headlinerenderer.php
old:
if (!$fp fopen($this->_hl->getVar('headline_rssurl'), 'r')) {
            $this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl'));
            return false;
        }
        $data '';
        while (!feof ($fp)) {
            $data .= fgets($fp4096);
        }
        fclose ($fp);

new:
// start of snoopy hack
        $error_level_stored error_reporting() ;
        error_reporting$error_level_stored & ~ E_NOTICE ) ;
        // includes Snoopy class for remote file access
        require_once(XOOPS_ROOT_PATH."/class/snoopy.php");
        $snoopy = new Snoopy;
        //TIMEOUT 5 second
        $snoopy->read_timeout 5;                    // timeout on read operations, in seconds
        //URL fetch
        if( ! $snoopy->fetch$this->_hl->getVar'headline_rssurl' ) ) || ! $snoopy->results ) {
            if (!empty($snoopy->error)) {
                $this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl')."snoopy status=".$snoopy->error);
                return false;
            } else {
                $this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl'));
                return false;
            }
        }
        $data $snoopy->results ;
        error_reporting$error_level_stored ) ;
        // end of snoopy hack
(thx to hokousya & domifara)

I've released a module named as XoopsHeadLine-Duplicatable (xhld).
xhld uses snoopy and modified some points from original.
Of course, xhld is a duplicatable module.
Since this module can be worked independently from xoopsheadline, you can try it at ease.

If you've transferred to xhld or hacked by yourself, add
php_flag allow_url_fopen Off

into .htaccess in XOOPS_ROOT_PATH.
(If you are server's admin, change php.ini and restart httpd)

This modification will make your XOOPS site stronger from attacks.
2
Mithrandir
Re: Say good-bye to allow_url_fopen

Excellent work, GIJOE, thank you

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

411 user(s) are online (323 user(s) are browsing Support Forums)

Members: 0

Guests: 411

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits