Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request validation fails if allow_url_fopen is disabled #65

Closed
SDPrio opened this issue Jan 22, 2019 · 2 comments
Closed

Request validation fails if allow_url_fopen is disabled #65

SDPrio opened this issue Jan 22, 2019 · 2 comments
Labels
good first issue

Comments

@SDPrio
Copy link

SDPrio commented Jan 22, 2019

Downloading certificate in RequestValidator->validateSignature uses file_get_contents and thus depends on allow_url_fopen to be enabled. For security reasons this is not the case on many servers. In these cases file_get_contents will fail and simply return an empty string. The validation will fail as well of course.

Can be fixed by using curl instead or as fallback:

if (ini_get('allow_url_fopen')) {
    $certData = @file_get_contents($request->signatureCertChainUrl);
} else {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $request->signatureCertChainUrl);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $certData = curl_exec($ch);
    curl_close($ch);
}
@maxbeckers
Copy link
Owner

Yes, you're right. But I would prefer to change it to guzzle, we have already in the project.

@SDPrio
Copy link
Author

SDPrio commented Jan 25, 2019

Great! Thank you very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SDPrio @maxbeckers