Module shouldn't use file_get_contents to access external URLs

[madmatt]

See cross-post issue on silverstripe/cwp-search: https://github.com/silverstripe/cwp-search/issues/25

This module uses file_get_contents() to post/retrieve data from Solr in some instances. It shouldn't do so, as some servers may have allow_url_fopen disabled in php.ini.

Instead, use of Guzzle (or raw curl) is encouraged for security reasons, mainly to prevent accidental remote code execution/remote file inclusion bugs.

Note that this module explicitly isn't susceptible to RFI vulnerabilities as far as I can tell, but if you're trying to use the module on a hardened server this config value is likely disabled.

edit: Also, renaming the variable from $targetDir would help avoid doubt about whether or not it's a URL. Suggested name: $targetUrl

[madmatt]

See search results: https://github.com/silverstripe/silverstripe-fulltextsearch/search?q=file_get_contents&unscoped_q=file_get_contents

[madmatt]

Also note that the underlying library we use uses the Apache_Solr_HttpTransport_FileGetContents HTTP transport by default. This will need to change to use the Apache_Solr_HttpTransport_Curl transport instead. Looks like this should be easy to achieve, but shouldn't be overlooked. (h/t @firesphere for pointing this out)

[sminnee]

Should title be "Module shouldn't use file_get_contents to fetch URLs"?