Relative URL from 'Upload Publication' then openfile.php checks for absolute #11

Closed
JacobDorman opened this Issue Jan 29, 2012 · 1 comment

2 participants

@JacobDorman

The 'upload publication' functionality returns a relative url by default (hence the message about using absolute above I guess)

then openfile.php checks for absolute.

if ( strpos( $_GET['file'], (isset($_SERVER['HTTPS']) ? 'https|' : 'http|') . $_SERVER['SERVER_NAME'] ) === false )
    die();
@ericmann
Owner

The PHP script checks for an absolute file for a very specific reason - to prevent your site from being used as an open proxy by someone else. Absolute URLs are required because of the way openfile.php streams the file contents back to the browser, but we need to check to see if the file is actually on your server before doing so. Otherwise anyone could use your system to download content from just about anywhere.

This was a security concern raised by a few industry experts several months ago, and was patched to prevent that kind of abuse. If you think your site is pretty safe, feel free to remove that check from your copy of openfile.php. It will be replaced by a better (i.e. more secure) method in the future that will allow for both absolute and relative links and will allow you to attach remote content as well as local content.

@ericmann ericmann closed this Feb 1, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment