Permalink
ffa9651 Dec 30, 2016
83 lines (62 sloc) 2.16 KB

Security Considerations

Url may point to system files

  • Don't blindly accept urls from users as they may point to system files. Curl supports many protocols including FILE. The following would show the contents of file:///etc/passwd.
# Attacker.
$ curl https://www.example.com/display_webpage.php?url=file%3A%2F%2F%2Fetc%2Fpasswd
// display_webpage.php
$url = $_GET['url']; // DANGER!
$curl = new Curl();
$curl->get($url);
echo $curl->response;

Safer:

function is_website_url($url, $allowed_schemes = array('http', 'https')) {
    $validate_url = !(filter_var($url, FILTER_VALIDATE_URL) === false);
    $scheme = parse_url($url, PHP_URL_SCHEME);
    return $validate_url && in_array($scheme, $allowed_schemes, true);
}

$url = $_GET['url'];
if (!is_website_url($url)) {
    die('Unsafe url detected.');
}

Url may point to internal urls

Request data may refer to system files

  • Request data prefixed with the @ character may have special interpretation and read from system files.
# Attacker.
$ curl https://www.example.com/upload_photo.php --data "photo=@/etc/passwd"
// upload_photo.php
$curl = new Curl();
$curl->post('http://www.anotherwebsite.com/', array(
    'photo' => $_POST['photo'], // DANGER!
));

Unsafe response with redirection enabled

$curl = new Curl();
$curl->setOpt(CURLOPT_FOLLOWLOCATION, true); // DANGER!
$curl->download('https://www.example.com/image.png', 'my_image.png');
$curl = new Curl();
$curl->setOpt(CURLOPT_FOLLOWLOCATION, true); // DANGER!
$curl->get('https://www.example.com/image.png');

Keep SSL protections enabled

  • Do not disable SSL protections.
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // DANGER!
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // DANGER!