Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No supported modules should use file_get_contents to access external URLs #228

Open
brynwhyman opened this issue Aug 2, 2019 · 7 comments
Open

No supported modules should use file_get_contents to access external URLs #228

brynwhyman opened this issue Aug 2, 2019 · 7 comments
Labels
affects/v4 complexity/low impact/low type/bug

Comments

@brynwhyman
Copy link

Background

CWP Ops were about to release PHP ini changes that disabled allow_url_fopen and allow_url_include which would prevent the use of file_get_contents() in particular with URLs.

This release had to be postponed because it was discovered some supported modules are still using this function.

Overview

We need to investigate all supported modules (and 3rd party dependancies) to identify where file_get_contents is being used and update it to something more secure.

The use of Guzzle (or raw curl) is encouraged for security reasons, mainly to prevent accidental remote code execution/remote file inclusion bugs.

Release considerations

This improvement would focus on new stacks so we would only need to fix it in a new CWP 2 release.

Modules identified so far
@robbieaverill
Copy link
Contributor

I have a feeling that the use of file_get_contents() in project code would also be widespread. I assume some research has been done in this space before the decision to disable it was made?

@brynwhyman
Copy link
Author

I assume some research has been done in this space before the decision to disable it was made?

@madmatt, @chillu do you have input here?

@madmatt
Copy link
Member

madmatt commented Aug 2, 2019
edited
Loading

As noted on the CWP announcement, this was only planned to affect new stacks for now. Once the change had been rolled out, further work would be done to find any affected stack code and get it resolved prior to disabling those values for existing stacks.

In addition, CWP developer docs were updated to indicate why it shouldn't be used.

@sminnee
Copy link
Member

sminnee commented Aug 2, 2019

I believe the ticket title should be "No supported modules should use file_get_contents to access URLs" but I'll let @madmatt confirm that.

@ScopeyNZ ScopeyNZ changed the title No supported modules should use file_get_contents No supported modules should use file_get_contents to access external URLs Aug 2, 2019
@robbieaverill
Copy link
Contributor

I'm finding it hard to justify this as a bug to be honest... but since the announcement calls it a "low impact security risk" then I guess we will

@robbieaverill
Copy link
Contributor

Are we doing this for SS3 as well?

@brynwhyman
Copy link
Author

brynwhyman commented Aug 2, 2019
edited
Loading

Are we doing this for SS3 as well?

I believe this should focus on new stacks, so it would make sense to target the latest CWP 2 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects/v4 complexity/low impact/low type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sminnee @madmatt @emteknetnz @robbieaverill @brynwhyman