Say good-bye to allow_url_fopen

Date 2004-07-21 17:09:37 | Category: XOOPS
The directive "allow_url_fopen" is a useful feature of PHP.
For example, xoopsheadline is depends on "allow_url_fopen".
If you turn "allow_url_fopen" off, you can't use xoopsheadline neither as main nor as block.

But this feature often cause serious vulnerablities in fact.
I think that "allow_url_fopen On" is a setting which should be avoided as much as "register_globals On".

Scripts using snoopy instead of fopen("http://...","r") can work under "allow_url_fopen Off".
Of course, xoopsheadline can also work under "allow_url_fopen Off" if it is modified as using snoopy.
line 62 in xoopsheadline/class/headlinerenderer.php
old:

		if (!$fp = fopen($this->_hl->getVar('headline_rssurl'), 'r')) {
			$this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl'));
			return false;
		}
		$data = '';
		while (!feof ($fp)) {
			$data .= fgets($fp, 4096);
		}
		fclose ($fp);

new:

		// start of snoopy hack
		$error_level_stored = error_reporting() ;
		error_reporting( $error_level_stored & ~ E_NOTICE ) ;
		// includes Snoopy class for remote file access
		require_once(XOOPS_ROOT_PATH."/class/snoopy.php");
		$snoopy = new Snoopy;
		//TIMEOUT 5 second
		$snoopy->read_timeout = 5;					// timeout on read operations, in seconds
		//URL fetch
		if( ! $snoopy->fetch( $this->_hl->getVar( 'headline_rssurl' ) ) || ! $snoopy->results ) {
			if (!empty($snoopy->error)) {
				$this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl')."snoopy status=".$snoopy->error);
				return false;
			} else {
				$this->_setErrors('Could not open file: '.$this->_hl->getVar('headline_rssurl'));
				return false;
			}
		}
		$data = $snoopy->results ;
		error_reporting( $error_level_stored ) ;
		// end of snoopy hack
(thx to hokousya & domifara)

I've released a module named as XoopsHeadLine-Duplicatable (xhld).
xhld uses snoopy and modified some points from original.
Of course, xhld is a duplicatable module.
Since this module can be worked independently from xoopsheadline, you can try it at ease.

If you've transferred to xhld or hacked by yourself, add
php_flag allow_url_fopen Off

into .htaccess in XOOPS_ROOT_PATH.
(If you are server's admin, change php.ini and restart httpd)

This modification will make your xoops site stronger against attacks.


You can read more news at PEAK XOOPS.
http://xoops.peak.ne.jp

The URL for this story is:
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=20