allow_url_fopen安全吗? [英] Is allow_url_fopen safe?

问题描述

在给定URL的情况下，我目前正在使用file_get_contents()来获取网页的标题.在沼泽上，这工作得很好.但是，当我将其转移到Web服务器时，遇到一个问题，该问题导致我 this 回答. (将allow_url_fopen设置为1).

I am currently using file_get_contents() to get the title of a webpage, given the URL. On wamp, this works perfectly fine. However, when I shifted this to my web server, I came across a problem which lead me to this answer. (Which is to set allow_url_fopen to 1).

启用此功能是否存在重大安全风险?如果是，是否还有其他方法可以从URL本身获取网页标题?

Is there a major security risk in setting this on? If yes, are there any alternate ways to grab the title of a webpage from the URL itself?

(此外，不确定此标签，因此请酌情随意添加/删除！)

(Also, unsure of tags for this so please feel free to add/remove if appropriate!)

编辑(1):进一步的研究使我想到了这问题，几乎说这也是一种风险，如果应用程序不需要它，则将其禁用.不幸的是，这还不足以告诉我所涉及的风险.

Edit (1) : Further research lead me to this question, which pretty much says that it is a risk as well, and to disable it if the application does not need it. Unfortunately this does not tell me enough about the risk involved.

编辑(2):快速说明，我将在用户输入(URL)而不是内部使用此功能，这就是为什么我要确保绝对不存在安全风险的原因

Edit (2) : Quick note, I will be using this function with user input (the URL), and not internally, which is why I want to ensure there is absolutely no security risk involved

推荐答案

这只是您可能希望将allow_url_fopen设置为0

This is just one reason why you may want allow_url_fopen set to 0

比方说，您允许用户输入一个url，然后您的服务器会获取该url.

Let's say you allow users to enter a url, and you have your server fetch this url.

您可能会编写如下代码:-您不应对此进行编码-

You might code something like this: - YOU SHOULD NOT CODE THIS -

echo file_get_contents($_POST['url']);

问题是这里存在安全问题.有人可以传递文件路径而不是URL并可以访问服务器的文件.

Problem is that there is a security issue here. Somebody could pass a file path instead of a url and have access to your server's files.

例如，有人可能将/etc/passwd作为URL传递，并且能够查看其内容.

For example, somebody might pass /etc/passwd as a url, and be able to view its contents.

现在，如果allow_url_fopen设置为0，则您将不会使用file_get_contents来获取URL，而是将使用CURL.

Now, if allow_url_fopen were set to 0, you wouldn't be using file_get_contents to fetch URL's, you would be using CURL.

这篇关于allow_url_fopen安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！