ffa9651 Dec 30, 2016
83 lines (62 sloc) 2.16 KB

Security Considerations

Url may point to system files

  • Don't blindly accept urls from users as they may point to system files. Curl supports many protocols including FILE. The following would show the contents of file:///etc/passwd.
# Attacker.
$ curl
// display_webpage.php
$url = $_GET['url']; // DANGER!
$curl = new Curl();
echo $curl->response;


function is_website_url($url, $allowed_schemes = array('http', 'https')) {
    $validate_url = !(filter_var($url, FILTER_VALIDATE_URL) === false);
    $scheme = parse_url($url, PHP_URL_SCHEME);
    return $validate_url && in_array($scheme, $allowed_schemes, true);

$url = $_GET['url'];
if (!is_website_url($url)) {
    die('Unsafe url detected.');

Url may point to internal urls

Request data may refer to system files

  • Request data prefixed with the @ character may have special interpretation and read from system files.
# Attacker.
$ curl --data "photo=@/etc/passwd"
// upload_photo.php
$curl = new Curl();
$curl->post('', array(
    'photo' => $_POST['photo'], // DANGER!

Unsafe response with redirection enabled

$curl = new Curl();
$curl->download('', 'my_image.png');
$curl = new Curl();

Keep SSL protections enabled

  • Do not disable SSL protections.
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // DANGER!
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // DANGER!