All geek questions in one place

Security Issues Using the Readfile PHP Method

Hey. Are there any security issues I should worry about when using the readfile method in PHP? I would like to use the readfile method, which accepts the URL of a file stored on different third-party servers. Then I maintain the file for the user. Intuitively, it would seem that there is a risk that the URL can point to any file. On the other hand, I only use the readfile method (after processing some files that are not file-dependent), and I'm not sure if this would allow anything malicious on my server. Also, according to the manual, it seems that if I want to use the URL with readfile , I need to enable fopen wrappers . Thanks.

+2
source share
3 answers

readfile does not execute code on your server, so there is no problem.

However, some strange people may use your server to execute web requests to cause problems with your server by making unauthorized requests or causing an overload, so you might want to take this into account when encoding this type of function.

according to the manual, it seems that if I want to use the url with readfile, I need to enable fopen wrappers

Yes, you need to make sure allow_url_fopen is enabled. if not, you will have to learn cURL .

+3
source

The biggest security risk is injecting a garbled file service request from your file. Ie going through relative paths.

Allow_url_fopen also poses a security risk if you are not careful. It can allow requests that are passed through readfile (), include (), etc., To interpret PHP code, if that is what the request returned.

+1
source

I think you just need to focus on two things:

1) Do not let your users indicate which readfile is being read. (Potential to bypass directory traversal, etc.)

2) Do not allow users to modify the file readfile reads. (Potential for all kinds of harm!)

On top of my head, they attack me as the two most likely attacks that you will encounter regarding a readfile.

+1
source

Source: https://habr.com/ru/post/1246663/

More articles:


All Articles