About file_get_contents, wp_remote_get Risks

Asked 1 years ago, Updated 1 years ago, 102 views

It supports the Google AMP page.
Write style amp-custom directly to the header

Automatically generating css files from the sass file Write in gulp or in php file_get_contents
Load or use wordpress wp_remote_get to
I can't decide whether to load it or not.

File_get_contents May Cause Security Vulnerabilities
I've seen an article that says
How do I use it securely? I found something unclear while looking into it.

1. A book contained a sample file_get_contents securely.

$clean=array();
$html = array();

/* Filter input ($_GET['filename']) */

$contents=file_get_contents($clean['filename']);

/* Filter input ($contents) */

$html['contents'] = htmlentities($clean['contents'], ENT_QUOTES, 'UTF-8');
echo$html ['contents'];

I didn't understand the meaning of the comment out section above.
In line 4, $contents=file_get_contents($clean['filename']); is
What was originally $contents=file_get_contents($_GET['filename']);
Why did you change it to secure via array()
Will it be secure if I read it?
Or
Write here the action to filter the input($_GET['filename'])
Is it a meaningful comment out?
The comment out in line 5 didn't make sense.

2. This time
the administrator generated the file on the same server (same domain) by himself I have to load it, but even in these situations
File_get_contents, wp_remote_get running on the server
Are there any possible risks?

3. I would like to visit if there are people who touch various servers.
Some servers may not be able to use file_get_contents, but
If you compare file_get_contents to unavailable or usable, which one is more common?

I have summarized the above situation.
gGulp Benefits 】
·There is almost no need to worry about security risks.
·The program does not work on the server, so the server load can be reduced slightly.

[Gulp Disadvantages]
·Gulp tasks must be built (copied) for each site.

pphp Benefits br
·Source management is easy.

[Php Disadvantages]
·You must write the source for security considerations
·The server is a little bit of a burden.

This site is a small corporate site
Server relocation may occur, so
I'm thinking about using gulp, but
What kind of judgment would you make?
If you have a similar experience,
I would definitely like to use it as a reference.

php wordpress security gulp

2022-09-30 20:12

1 Answers

If the vulnerability in the php file_get_contents() in question is a directory traversal, you do not need to consider security if you write actions without using an externally specified filename.

I think it would be better to read file_get_contents or use require based on wordpress slug etc.

My question is
1. I think $clean is a cytization process.If you want to site it, you can use html specialchars()

2.Externally specified filenames ($_GET, filename from $_PUT) may be given an unintended path. (There may be a vulnerability in the wordpress plug-in used lightly.)

3. I think file_get_contents can be used on almost any server.However, there are occasional servers (you cannot change the php option) that restrict the reading of files over HTTP.

2022-09-30 20:12

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

928 In Java servlet, when SHA-256 sends WW-Authenticate header for digest authentication, the client does not return the result.

515 PHP ssh2_scp_send fails to send files as intended

520 Scrap text information after the "View More" button when searching in the Yahoo! News search window

504 Understanding How to Configure Google API Key

519 Unable to install versioned in Google Colab

© 2024 OneMinuteCode. All rights reserved.