Is allow_url_fopen safe? [duplicate]

Question

This question already has an answer here:

• Should I allow 'allow_url_fopen' in PHP? 5 answers

I am currently using file_get_contents() to get the title of a webpage, given the URL. On wamp, this works perfectly fine. However, when I shifted this to my web server, I came across a problem which lead me to this answer. (Which is to set allow_url_fopen to 1).

Is there a major security risk in setting this on? If yes, are there any alternate ways to grab the title of a webpage from the URL itself?

(Also, unsure of tags for this so please feel free to add/remove if appropriate!)

Edit (1) : Further research lead me to this question, which pretty much says that it is a risk as well, and to disable it if the application does not need it. Unfortunately this does not tell me enough about the risk involved.

Edit (2) : Quick note, I will be using this function with user input (the URL), and not internally, which is why I want to ensure there is absolutely no security risk involved

Answer 1

This is just one reason why you may want allow_url_fopen set to 0

Let's say you allow users to enter a url, and you have your server fetch this url.

You might code something like this: - YOU SHOULD NOT CODE THIS -

echo file_get_contents($_POST['url']);

Problem is that there is a security issue here. Somebody could pass a file path instead of a url and have access to your server's files.

For example, somebody might pass /etc/passwd as a url, and be able to view its contents.

Now, if allow_url_fopen were set to 0, you wouldn't be using file_get_contents to fetch URL's, you would be using CURL.

Answer 2

allow_url_fopen is fine. If you need the feature, enable it. There are better tools out there for loading data from remote URLs (like the curl extension), but it's good enough for some simple use cases.

Its close relative, allow_url_include, is not safe. It allows functions like include() and require() to load and run code from remote URLs, which is a really bad idea. Leave that one turned off.

In the past, allow_url_include didn't always exist as a distinct option, so it was necessary to turn allow_url_fopen off to prevent badly written scripts from including data from remote URLs. That's no longer the case, though.