PrestaShop development team please pay attention to the disabled "allow_url_fopen" issue

[maxmin]

I've installed the prestashop but my host disables the allow_url_fopen on php. When I asked the host to enable the allow_url_fopen, it replied me with the following message:

"We have disabled allow_url_fopen php configuration on the server due to its hacking vulnerabilities ,very few applications require it, and by disabling it we will prevent exploitation of PHP remote include vulnerabilities. Applications that do require it can be modified to use cURL instead."

Anyone has the idea how to modify the prestashop to use cURL? Does cURL have the same function as the allow_url_fopen?

Thanks for any clues.

[maxmin]

It looks like the PrestaShop develoment team need to modify the filename.php as my host suggested below. The reason is that I requested my host to have a custom php.ini in my web home directory where the allow_url_fopen is set to be enabled for "Friendly URL" (see the PrestaShop wiki on External Or Friendly URLs http://www.prestashop.com/wiki/External_or_Friendly_URLs/), but once the custom php.ini is put into my web's home directory /public_html/, the public access to my website becomes extremely slow where the connection to the database is basically shut down and sometimes the browser shows up "Link to database can not be established." So I requested my host to look into this slow database connection problem and the tech support replied that the slow database connection is caused by the enabled allow_url_fopen. See the detailed solution for this Friendly URL my host suggested below in the tech support reply message:

my host tech support's message:

"Hello,

We could see that "allow_url_fopen" and "allow_url_include" are enabled in the server which caused the issue. We disabled it. Proof is attached along with this.

Since URL file-access is disabled you may get some error like "URL file-access is disabled in the server configuration filename.php". Please don't enable allow_url_fopen as it is very high security risk. But you can use a function in curl instead of "file_get_contents()" which will perform the same task for you.

Please contact your developer and modify the code in your filename.php as
follows.

Instead of:
----------------------------------------------------
<?php
$file_contents = file_get_contents('http://example.com/');

// display file
echo $file_contents;
?>
----------------------------------------------------

Use this:
----------------------------------------------------
<?php
$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, 'http://example.com');
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$file_contents = curl_exec($ch);
curl_close($ch);
// display file
echo $file_contents;
?>
----------------------------------------------------

If you are getting some errors with the code above, use this:

----------------------------------------------------
<?php
$site_url = 'http://example.com';
$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, $site_url);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
ob_start();
curl_exec($ch);
curl_close($ch);
$file_contents = ob_get_contents();
ob_end_clean();
echo $file_contents;
?>
----------------------------------------------------

In case you have any more queries, please don't hesitate to contact us with all the required details. We'll be happy to assist you further.


Please feel free to contact us back in case of any other information.


Regards,

Adam
Host-Care Support Team.

Ticket Details
===================
Ticket ID: ORZ-652801
Department: Support Center
Priority: Medium
Status: On Hold
"

As stated in the above tech support message from my host, the allow_url_fopen is not recommended to be enabled for "Friendly URL" (SEO). Instead, the filename.php in PrestaShop should be modified to use CURL function to perform the same functionality.

I hope the PrestaShop team can include this modification into next version for all users who have the host's disabled allow_url_fopen issue.

Thanks.

[Koko888]

Hello, did yoy get a solution for this? I have the same problem and I dont know what to do.

[Kaihaku]

Hello, did yoy get a solution for this? I have the same problem and I dont know what to do.

Since PrestaShop is open source, the solution is to edit the code as suggested. It would be nice if the developers did adapt the base code to something more secure but for now...

Please contact your developer and modify the code in your filename.php as follows.

Instead of:
----------------------------------------------------
<?php
$file_contents = file_get_contents('http://example.com/');

// display file
echo $file_contents;
?>
----------------------------------------------------

Use this:
----------------------------------------------------
<?php
$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, 'http://example.com');
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$file_contents = curl_exec($ch);
curl_close($ch);
// display file
echo $file_contents;
?>
----------------------------------------------------

If you are getting some errors with the code above, use this:

----------------------------------------------------
<?php
$site_url = 'http://example.com';
$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, $site_url);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
ob_start();
curl_exec($ch);
curl_close($ch);
$file_contents = ob_get_contents();
ob_end_clean();
echo $file_contents;
?>
----------------------------------------------------

In case you have any more queries, please don't hesitate to contact us with all the required details. We'll be happy to assist you further.

I will say if that code actually works, you have impressive customer service.

[correadde]

Hi!

What file do i change that code from fopen to cURL?

[davnem]

To Maxmin: I am really surprised your provider CS tell you ""We have disabled allow_url_fopen php configuration on the server due to its hacking vulnerabilities ,very few applications require it, and by disabling it we will prevent exploitation of PHP remote include vulnerabilities. Applications that do require it can be modified to use cURL instead."

 

My provider CS they saying opposite thing, they have 5000 domains they need allow_url_fopen and allow_url_include have ON!

 

Notice: In my cause any setting the allow_url_fopen and allow_url_include in the php.ini or .htaccess on my public or cgi folder doesn't work. Still remain the same as global setting.

 

Does anyone have experience with proclaimed vulnerability issue regarding allow_url_fopen and allow_url_include? I mean in reality. How did you solved the issue? I was looking around and reading many but didn't find to much usable for me.

 

Further, I was looking around to find solution how to configure my own server space. I found the mention about the setting below on http://www.php.net/manual/en/configure.about.php#configure.disable-url-fopen-wrapper --disable-url-fopen-wrapper

Disable the URL-aware fopen wrapper that allows accessing files via HTTP or FTP. (not available since PHP 5.2.5)

 

What does exactly mean it by not available since PHP 5.2.5? Is it that setting is possible only by global setting on server by provider?

 

Anyone some ideas about that?

[benjamin utterback]

Dave, that's a good analysis. I too have not heard the "high" security risks attached with allowing url.

[romast]

so, the solution is to change the provider? thanks for info's