Is allow_url_fopen safe?
I am currently using file_get_contents() to get the title of a webpage, given the URL. On wamp, this works perfectly fine. However, when I shifted this to my web server, I came across a problem which lead me to this answer. (Which is to set allow_url_fopen to 1).
Is there a major security risk in setting this on? If yes, are there any alternate ways to grab the title of a webpage from the URL itself?
(Also, unsure of tags for this so please feel free to add/remove if appropriate!)
Edit (1) : Further research lead me to this question, which pretty much says that it is a risk as well, and to disable it if the application does not need it. Unfortunately this does not tell me enough about the risk involved.
Edit (2) : Quick note, I will be using this function with user input (the URL), and not internally, which is why I want to ensure there is absolutely no security risk involved
Answer
This is just one reason why you may want allow_url_fopen set to 0
Let's say you allow users to enter a url, and you have your server fetch this url.
You might code something like this: - YOU SHOULD NOT CODE THIS -
echo file_get_contents($_POST['url']);
Problem is that there is a security issue here. Somebody could pass a file path instead of a url and have access to your server's files.
For example, somebody might pass /etc/passwd as a url, and be able to view its contents.
Now, if allow_url_fopen were set to 0, you wouldn't be using file_get_contents to fetch URL's, you would be using CURL.