开发者

How to get remote page with php cURL securely

开发者 https://www.devze.com 2023-01-16 00:40 出处:网络
I will have an app where I will prompt users for a URL (with proper regex url validation) and return the page with cURL and run some checks on it.

I will have an app where I will prompt users for a URL (with proper regex url validation) and return the page with cURL and run some checks on it.

What would be the most secure wa开发者_运维问答y of returning a remote webpage securely with cURL? As I understand even cURL has some vulnerabilities, like 'safe mode' Security Bypass (http://www.securityfocus.com/bid/27413).


SecurityFocus claims this has been fixed in PHP 5.2.6 . If you can't upgrade to that, you need to manually check for that attack vector. Perhaps check in your user input if the url definitely has "http" in front of it, with if (substr($url, 0, 7) == 'http://'))

Furthermore, according to the comments on this php bug report curl gives you the option to disable specific protocls, including local file access, but only when you configure and compile from source. According to the cURL install manual it must be something like this (untested):

./configure --disable-file
0

精彩评论

暂无评论...
验证码 换一张
取 消