I am trying to talk to a buggy webserver that I don't control over SSL from PHP+curl.
I wrote a little C-program directly against openssl lib, and through that identified that, if I enable the openssl options SSL_OP_NO_COMPRESSION and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS explicitly in call to SSL_CTX_set_options(), I can get it to work. Like this:
SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
but, ...that is in my isolated C program.
Can I, somehow, make PHP+curl set these options, when it establishes the SSL connection? CURL seems to operate on a much higher level.
Here are my own findings, so far:
I know about curl_setopt, but I see no options like those in its list.
I have found something called stream options, but I am not clear on how or if they are used with CURL, and again, I see no match for the options I need.
The PHP manual on openssl seems to only be about functions to handle keys and certificates.
Then, there is HttpRequest setSslOptions, but again, that seems to closely match options to CURL context.
UPDATE
After the response from "user2076645" on the option on disabling compression, I git cloned the source of PHP and took a look around myself.
Specifically, I found this piece of code:
#if OPENSSL_VERSION_NUMBER >= 0x0090605fL
ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
which explicitly disables the option I need. I looked up the commit message, too, and it was a fix to a possible attack on SSL.
So, I guess it can't be done from PHP, currently :-(
Not sure if it helps but there is an option to disable compression
http://git.php.net/?p=php-src.git;a=commitdiff;h=4a01ddfb5569da1b87dd4cac95c3f709fb607396;hp=bb4d11b405ae1f37a8b0e4db630e80c5678f0746
Related
I would like to explicitly define the source port range curl should use for the connections.
In curl docs this option would be local-port, but I can't find any PHP documentation relating to the setup of this curl option.
There's a comment in the documentation:
Seems like some options not mentioned on this page, but listed on http://curl.haxx.se/libcurl/c/curl_easy_setopt.html is actually supported.
According to the libcurl docs, CURLOPT_LOCALPORT is what you're looking for. Hopefully that's defined in PHP. If it isn't, you can try using the value 139 according to the source.
I'm trying to write a website in PHP that allows the user to enter PHP code, and then be able to run it on my server. However, I want to be able to disable certain features (file access, database access, etc.). Basically, I want the code to run without any risk to my server, and if the code does attempt to do something dangerous, I just want the code to stop running (I don't mind if it just stops, produces an error, or carries on while ignoring the dangerous code).
Is this possible, and if so, how could I achieve this?
Thanks :)
It is possible using libraries that do some simple checking or limiting.
Take a look at a PECL (PHP Extensions) extension called RunKit_Sandbox http://php.net/manual/en/runkit.sandbox.php or PHPSandbox.
The key to look for on Google is PHP Sandbox, it will find you similar libraries.
vi php.ini
and then find disable_functions,
disable the functions as you want! like this :
disable_functions = exec,passthru,popen,proc_open,shell_exec,system,phpinfo,assert,chroot,getcwd,scandir,delete,rmdir,rename,chgrp,chmod,chown,copy,mkdir,file,file_get_contents,fputs,fwrite,dir
I actually developed a package specifically for these kinds of use cases. It can be fully configured and even used to override dangerous functions and globals.
https://github.com/fieryprophet/php-sandbox
I'm trying to make a JSON call library. It has the following features.
be able to customize the header
be able to POST any data to server(including form-encoding (a=1&b=2&c=3) and JSON data chunk)
parse the response and return as a JSON object
I searched in other questions and found that there are only two answers.
use file_get_contents(). This way is pretty simple and easy to use; however, you cannot do anything more than get the content -- you cannot add headers, cannot use POST. But it is usually supported by all servers.
use curl. This way seems powerful and you can do nearly everything with it. The disadvantage is that you have to install libcurl and php-curl support on your server, which means you may not use it on servers that have no curl installed.
So, if I want to develop a common library that can be used on most server, is curl a good choice?
Is there any other ways to do this?
In a short word, I'm looking for a PHP version of urllib2 in python - easy to use, powerful, and reliable.
You have two options: curl and HTTP stream context options. Both can accomplish what you have described; curl might not be installed everywhere, while stream contexts are a core feature and are always available.
Actually, you can also implement your library using sockets, which would be more work but will probably allow you greater control if you need to do weirder things with your requests.
As i know, curl is included in mostly on many server, since it supported from 4.0.2 PHP version natively.
Also there is a native php function header, which customizes your response's headers by simply using like this -> header('location: index.php'), header('cache-control: ok') and so on. You can view Network Functions section on php.net
I have a script that users can input a image URL (from another website) and then crop it using JS and have it saved on my server.
My question is... when getting the image from another server is it safer to use CURL or allow_url_fopen (via file_get_contents())? Or is there a preferred/safer method available?
Security is a big concern for me as I know this is a very dangerous procedure - The script will only need to work for image files if that makes a difference.
Thanks
curl's error handling is much better than file_get_contents(). If you care about that, curl's probably the way to go. If a simple "oops, that didn't work" is enough for you, though, file_get_contents() is a perfectly acceptable shortcut.
First of all, if you want to get into a deep security discussion. Downloading files is in fact a security concern if you don't know what you are doing.
You can overwrite vital files or even overwrite system files in some cases. Uploading scripts,etc on the server with intention of executing them via web server is also an issue.
So it's not sunshine and rainbows like people pointing out here.
Back to your question, allow_url_fopen is a configuration directive. I assume you meant file_get_contents(). Either will do fine. As others pointed out Curl is a bit more verbose and it's also faster.
If you do end up using file_get_contents(), make sure you never include an unfiltered variable as a parameter.
Downloading a file is not a security concern at all, no matter whether it's your server or your own computer, or the application/code you are using to download it :) It's whether you are executing the file :D
All you have to do is just make sure you are not going to EXECUTE / INCLUDE anything in the file. Since you are only going to crop the image, I think you are good to go :)
I suggest cURL tho, allow_url_fopen may raise security problems in other places in your code.
cURL has more options ans possibilities.
Both are equally safe (or unsafe if misused).
It is wiser to use cURL because you will uprise your experience with a more powerful function, which may serve you in future projects.
Also, if this very project needs new functionalities later on, you will not have to rewrite everything with cURL if file_get_contents is not enough.
The answer of this thread shows a nice cURL function: Replace file_get_content() with cURL?
curl would generally be a safer way. It'd take an explicit design/coding decision on your part to allow the results from curl to directly affect your program, whereas allowing urls in the f*() functions would let
include('http://example.com/really_nasty_remote_takeover.php');
occur without error.
i use file_get_contents function to grab data from sites and store the data in database. it will be very inconvenient for me, if one day the script will start not working.
I know, that it can start not working, if they change the structure of site, but now i'm afraid, that maybe there are mechanisms to disable the working of this function, maybe from server?
i tried to find documentation about it, but can't get, so maybe you will help me?
Thanks
I know, that it can start not working,
if they change the structure of site,
but now i'm afraid, that maybe there
are mechanisms to disable the working
of this function, maybe from server?
Yes, it can be disabled from php.ini with allow_url_fopen option. You have other options such as CURL extension too.
Note also that you will need to have openssl extension turned on from php.ini if you are going to use the file_get_contents function to read from a secure protocol.
So in case file_get_contents is/gets disabled, you can go for CURL extension.
It is possible to disable certain functions using disable_function. Furthermore the support of URLs with filesystem functions like file_get_contents can be disabled with allow_url_fopen. So chances are that file_get_contents might not work as expected one day.
There are at least two PHP configuration directives that can break your script :
If allow_url_fopen is disabled, then, file_get_contents() will not be able to fetch files that are not on the local disk
i.e. it will not be able to load remote pages via HTTP.
Note : I've seen that option disabled quite a few times
And, of course, with disable_functions, any PHP function can be disabled.
Chances are pretty low that file_get_contents() itself will ever get disabled...
But remote-file loading... Well, it might be wise to add an alternative loading mecanism to your script, that would use curl in case allow_url_fopen is disabled.