search

sivasekar / dompdf

Automatically exported from code.google.com/p/dompdf
0 stars 0 forks source link

Allow remote file inclusion with allow_url_fopen on disabled #69

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What would you like dompdf to do:
Allow remote file inclusion, like remote images, css and similar stuff to
download, even while allow_url_fopen is disabled. file_get_contents()
doesn't work when that is the case.

What to do:
1. Include the attachment of this message
2. Replace file_get_contents with a following kind of structure:
{{{
if(function_exists('curl_init')) {
    $content = http::fetch_content($url);
} else {
    $content = file_get_contents($url);
}
}}}

Original issue reported on code.google.com by michiele...@gmail.com on 14 Sep 2009 at 2:11

Attachments:

GoogleCodeExporter commented 9 years ago 
Or maybe:

$content = (function_exists('curl_init')) ? http::fetch_content($url) :
file_get_contents($url);

Original comment by michiele...@gmail.com on 14 Sep 2009 at 2:18

GoogleCodeExporter commented 9 years ago 
It seems unlikely that curl would be enabled on systems where allow_url_fopen is
disabled (though I don't doubt the possibility). Can you think of any reason 
this
would be the case? The user could also enable url_fopen for the currently 
running
script using ini_set().

Perhaps we should consider making url_fopen be a requirement of accessing remote
objects and document as such.

I'm not totally against curl support, I just want to make sure we do it for the 
right
reasons.

Original comment by eclecticgeek on 14 Sep 2009 at 5:52

GoogleCodeExporter commented 9 years ago 
Well, we host a hosting server. We and also others disable by default
allow_url_fopen, because it could be used by hacking attack, which makes your 
server
rather vulnerable. So for security sakes we disable it by default. But I know of
other hosting services, which won't even enable it, even if you ask them. So 
that is why.

Also CURL can be seen as browser, by sending useragent headers as well as
Forwarded-For headers, so websites which use browser detection, or website 
which do
have a rather strong client/header policy (like mod_security) could be used as 
well.

Indeed I go with the suggestion you'd rely on url_fopen, if you see my second 
reason
for using curl as "browser" as not worth. Because url_fopen is more precise than
allow_url_fopen.

Curl is by the way on more and more servers installed. Because everyone is 
going to
PHP5 and webservices are a major issue in the common days. Most webservice 
libraries
use Curl nowadays.

Original comment by michiele...@gmail.com on 14 Sep 2009 at 6:12

GoogleCodeExporter commented 9 years ago 
Another advantage of using CURL is using cookies to access secure images on the
server on which the PDF library is located.

See http://svetlozar.net/page/free-code.html for reference code.

Original comment by michiele...@gmail.com on 5 Oct 2009 at 12:48

GoogleCodeExporter commented 9 years ago

Original comment by eclecticgeek on 24 May 2013 at 3:00