1
GIJOE
Say good-bye to allow_url_fopen
  • 2004/7/21 7:48

  • GIJOE

  • Quite a regular

  • Posts: 265

  • Since: 2003/8/13


The directive "allow_url_fopen" is a useful feature of PHP.
For example, xoopsheadline is depends on "allow_url_fopen".
If you turn "allow_url_fopen" off, you can't use xoopsheadline neither as main and nor as block.

But this feature often cause serious vulnerablities in fact.
I think that "allow_url_fopen On" is a setting which should be avoided as much as "register_globals On".

Scripts using snoopy instead of fopen("http://...","r") can work under "allow_url_fopen Off".
Of course, xoopsheadline can also work under "allow_url_fopen Off" if it is modified as using snoopy.

line 62 in xoopsheadline/class/headlinerenderer.php
old:
if (!$fp fopen($this->_hl->getVar('headline_rssurl'), 'r')) {
            
$this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl'));
            return 
false;
        }
        
$data '';
        while (!
feof ($fp)) {
            
$data .= fgets($fp4096);
        }
        
fclose ($fp);

new:
// start of snoopy hack
        
$error_level_stored error_reporting() ;
        
error_reporting$error_level_stored & ~ E_NOTICE ) ;
        
// includes Snoopy class for remote file access
        
require_once(XOOPS_ROOT_PATH."/class/snoopy.php");
        
$snoopy = new Snoopy;
        
//TIMEOUT 5 second
        
$snoopy->read_timeout 5;                    // timeout on read operations, in seconds
        //URL fetch
        
if( ! $snoopy->fetch$this->_hl->getVar'headline_rssurl' ) ) || ! $snoopy->results ) {
            if (!empty(
$snoopy->error)) {
                
$this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl')."snoopy status=".$snoopy->error);
                return 
false;
            } else {
                
$this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl'));
                return 
false;
            }
        }
        
$data $snoopy->results ;
        
error_reporting$error_level_stored ) ;
        
// end of snoopy hack
(thx to hokousya & domifara)

I've released a module named as XoopsHeadLine-Duplicatable (xhld).
xhld uses snoopy and modified some points from original.
Of course, xhld is a duplicatable module.
Since this module can be worked independently from xoopsheadline, you can try it at ease.

If you've transferred to xhld or hacked by yourself, add
php_flag allow_url_fopen Off

into .htaccess in XOOPS_ROOT_PATH.
(If you are server's admin, change php.ini and restart httpd)

This modification will make your XOOPS site stronger from attacks.

2
Mithrandir
Re: Say good-bye to allow_url_fopen

Excellent work, GIJOE, thank you

Login

Who's Online

238 user(s) are online (131 user(s) are browsing Support Forums)


Members: 0


Guests: 238


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits