About file_get_contents, wp_remote_get Risks

It supports the Google AMP page.
Write style amp-custom directly to the header

Automatically generating css files from the sass file Write in gulp or in php file_get_contents
Load or use wordpress wp_remote_get to
I can't decide whether to load it or not.

File_get_contents May Cause Security Vulnerabilities
I've seen an article that says
How do I use it securely? I found something unclear while looking into it.

1. A book contained a sample file_get_contents securely.

$clean=array();
$html = array();

/* Filter input ($_GET['filename']) */

$contents=file_get_contents($clean['filename']);

/* Filter input ($contents) */

$html['contents'] = htmlentities($clean['contents'], ENT_QUOTES, 'UTF-8');
echo$html ['contents'];

I didn't understand the meaning of the comment out section above.
In line 4, $contents=file_get_contents($clean['filename']); is
What was originally $contents=file_get_contents($_GET['filename']);
Why did you change it to secure via array()
Will it be secure if I read it?
Or
Write here the action to filter the input($_GET['filename'])
Is it a meaningful comment out?
The comment out in line 5 didn't make sense.

2. This time
the administrator generated the file on the same server (same domain) by himself I have to load it, but even in these situations
File_get_contents, wp_remote_get running on the server
Are there any possible risks?

3. I would like to visit if there are people who touch various servers.
Some servers may not be able to use file_get_contents, but
If you compare file_get_contents to unavailable or usable, which one is more common?

I have summarized the above situation.
gGulp Benefits 】
·There is almost no need to worry about security risks.
·The program does not work on the server, so the server load can be reduced slightly.

[Gulp Disadvantages]
·Gulp tasks must be built (copied) for each site.

pphp Benefits br
·Source management is easy.

[Php Disadvantages]
·You must write the source for security considerations
·The server is a little bit of a burden.

This site is a small corporate site
Server relocation may occur, so
I'm thinking about using gulp, but
What kind of judgment would you make?
If you have a similar experience,
I would definitely like to use it as a reference.

php wordpress security gulp

2022-09-30 20:12

1 Answers

If the vulnerability in the php file_get_contents() in question is a directory traversal, you do not need to consider security if you write actions without using an externally specified filename.

I think it would be better to read file_get_contents or use require based on wordpress slug etc.

My question is
1. I think $clean is a cytization process.If you want to site it, you can use html specialchars()

2.Externally specified filenames ($_GET, filename from $_PUT) may be given an unintended path. (There may be a vulnerability in the wordpress plug-in used lightly.)

3. I think file_get_contents can be used on almost any server.However, there are occasional servers (you cannot change the php option) that restrict the reading of files over HTTP.

2022-09-30 20:12

If you have any answers or tips

Popular Tags

python x 4647

android x 1593

java x 1494

javascript x 1427

c x 927

c++ x 878

ruby-on-rails x 696

php x 692

python3 x 685

html x 656