Jump to content

Topic on Extension talk:PhpTags/Flow

file_get_contents?

6
Summary by Johnywhy

file_get_contents is not supported by PhpTags.

That woud be a security risk, because it could potentially enable web-clients to read web-server system files with passwords, and make any requests from the web-server to maybe intranet or other servers.

That would mean access to a lot of services which are normally trusted only to local connections.

But, How does it allow web-clients to make dangerous operations without password requirement? Why no password requirement?

Johnywhy (talkcontribs)

simple hello-world works fine, but file_get_contents returns

PhpTags Fatal error: Call to undefined function file_get_contents() in Draft:TestPHP on line 2

Here's the sample code:

<phptag>
$foo = 'hello world!';
echo $foo;
</phptag>

<phptag>
$searchResults = file_get_contents('https://www.nature.com/articles/s41467-018-03445-z');
echo $searchResults;
</phptag>

How to enable file_get_contents?

Pastakhov (talkcontribs)

It is not real PHP, it is just faster and powerful alternative for Help:Magic Words

And file_get_contents never should be enabled there by security reason.

Johnywhy (talkcontribs)

thx, what's the security risk?

Pastakhov (talkcontribs)

Read system files with passwords and make any requests from the server to maybe intranet or any other server including itself. A lot of services trust to local connections and allow to make dangerous operations without password requirement.

Johnywhy (talkcontribs)

How does it allow web-clients to make dangerous operations without password requirement? Why no password requirement?

Pastakhov (talkcontribs)

Sorry for the delay, I was hard busy. I meant that some services allows to make dangerous operations for clients who connected to localhost interface (127.0.0.1) because nobody can connect to localhost interface from the internet or other network. But if you provide uncontrolled access to the file_get_contents function, somebody can try to use it to hack your server.

Reply to "file_get_contents?"