allow_url_fopen安全吗? [英] Is allow_url_fopen safe?
问题描述
在给定URL的情况下,我目前正在使用file_get_contents()
来获取网页的标题.在沼泽上,这工作得很好.但是,当我将其转移到Web服务器时,遇到一个问题,该问题导致我 this 回答. (将allow_url_fopen
设置为1
).
I am currently using file_get_contents()
to get the title of a webpage, given the URL. On wamp, this works perfectly fine. However, when I shifted this to my web server, I came across a problem which lead me to this answer. (Which is to set allow_url_fopen
to 1
).
启用此功能是否存在重大安全风险?如果是,是否还有其他方法可以从URL本身获取网页标题?
Is there a major security risk in setting this on? If yes, are there any alternate ways to grab the title of a webpage from the URL itself?
(此外,不确定此标签,因此请酌情随意添加/删除!)
(Also, unsure of tags for this so please feel free to add/remove if appropriate!)
编辑(1):进一步的研究使我想到了这一个>问题,几乎说这也是一种风险,如果应用程序不需要它,则将其禁用.不幸的是,这还不足以告诉我所涉及的风险.
Edit (1) : Further research lead me to this question, which pretty much says that it is a risk as well, and to disable it if the application does not need it. Unfortunately this does not tell me enough about the risk involved.
编辑(2):快速说明,我将在用户输入(URL)而不是内部使用此功能,这就是为什么我要确保绝对不存在安全风险的原因
Edit (2) : Quick note, I will be using this function with user input (the URL), and not internally, which is why I want to ensure there is absolutely no security risk involved
推荐答案
这只是您可能希望将allow_url_fopen
设置为0
This is just one reason why you may want allow_url_fopen
set to 0
比方说,您允许用户输入一个url,然后您的服务器会获取该url.
Let's say you allow users to enter a url, and you have your server fetch this url.
您可能会编写如下代码:-您不应对此进行编码-
You might code something like this: - YOU SHOULD NOT CODE THIS -
echo file_get_contents($_POST['url']);
问题是这里存在安全问题.有人可以传递文件路径而不是URL并可以访问服务器的文件.
Problem is that there is a security issue here. Somebody could pass a file path instead of a url and have access to your server's files.
例如,有人可能将/etc/passwd
作为URL传递,并且能够查看其内容.
For example, somebody might pass /etc/passwd
as a url, and be able to view its contents.
现在,如果allow_url_fopen
设置为0,则您将不会使用file_get_contents
来获取URL,而是将使用CURL.
Now, if allow_url_fopen
were set to 0, you wouldn't be using file_get_contents
to fetch URL's, you would be using CURL.
这篇关于allow_url_fopen安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!