PHP  
downloads | documentation | faq | getting help | mailing lists | | php.net sites | links | my php.net 
search for in the  
<PUT-Unterst�tzungVerbindungssteuerung>
view the version of this page
Last updated: Sat, 19 Apr 2003

Kapitel 19. Zugriff auf entfernte Dateien

Wenn die Unterst�tzung f�r den "URL fopen wrapper" bei der Konfiguration von PHP vorhanden ist (welche standardm��ig eingestellt ist, es sei denn, die Option --disable-url-fopen-wrapper wurde bei der Installation verwendet (Versionen bis 4.0.3) oder der Parameter allow_url_fopen in der php.ini deaktiviert wurde (neuere Versionen), k�nnen HTTP und FTP URLs bei den meisten Funktionen verwendet werden, die einen Dateinamen als Parameter ben�tigen, inklusive require() und include() Anweisungen.

Anmerkung: remote files funktionieren nicht mit include() und require() Anweisungen unter Windows.

Beispielsweise kann eine Datei auf einem anderen Webserver ge�ffnet und verarbeitet werden. Diese Daten k�nnen zur Abfrage einer Datenbank benutzt werden oder passend zum Rest der eigenen Website ausgegeben werden.

Beispiel 19-1. Den Titel einer entfernten Seite auslesen

<?php
$file = fopen ("http://www.example.com/", "r");
if (!$file) {
    echo "<p>Datei konnte nicht ge�ffnet werden.\n";
    exit;
}
while (!feof ($file)) {
    $line = fgets ($file, 1024);
    /* Funktioniert nur, wenn Titel und title-Tags in einer Zeile stehen */
    if (eregi ("<title>(.*)</title>", $line, $out)) {
        $title = $out[1];
        break;
    }
}
fclose($file);
?>

Auch eine Datei auf einem FTP-Server kann geschrieben werden, solange man sich �ber einen Benutzer mit entsprechenden Zugriffsrechten verbindet und die Datei noch nicht existiert. Um sich mit einem anderen Benutzer als 'anonymous' zu verbinden mu� ein username (und m�glichst ein Passwort) innerhalb der URL angegeben werden, wie z.B. 'ftp://user:[email protected]/pfad/zur/datei'. (Die selbe Syntax kann verwendet werden, um auf Daten via HTTP zuzugreifen, wenn diese eine Basic Authentication ben�tigen.)

Beispiel 19-2. Daten auf einen entfernten Server speichern

<?php
$file = fopen ("ftp://ftp.example.com/incoming/outputfile", "w");
if (!$file) {
    echo "<p>Datei konnte zum schreiben nicht ge�ffnet werden.\n";
    exit;
}
/* Schreibe die Daten hier hin. */
fputs ($file, "$HTTP_USER_AGENT\n");
fclose ($file);
?>

Anmerkung: Obiges Beispiel k�nnte dazu verleiten, dieses Verfahren zu benutzen, um in ein 'remote log-file' zu schreiben. Wie oben erw�hnt kann man jedoch ausschlie�lich neue Dateien anlegen, wenn man URL fopen() wrapper benutzt. F�r 'distributed logging' sollte man sich die Funktion syslog() anschauen.



User Contributed Notes
Zugriff auf entfernte Dateien
add a note
greg at b-sphere dot com
25-Apr-2000 09:21

To use images and links in an included or required web page on a remote server, the calls in the remote files probably must use a fully qualified URL (). Don't know how universal this is, but it's been the case with several servers so far, and no exceptions found. Since the URLs on the remote page are probably using relative addressing, some added coordination is probably called for in most collaboration projects, where one site is serving content to be required or included on other sites.
php!at!sturmgewehr.de
25-Feb-2002 02:42

Be careful when you use something like index.php?showpage=news.php and include() that $showpage file.
If a malicious user would call your script as index.php?showpage= it would include that script and run it in *your* script's scope. That means it can read all files and variables your webserver has access to!
Use file_exists() (which only works on local files) or check for 'tp:' in the filename prior to inclusion.

jt at gno dot de
27-Feb-2002 12:24

Greg: I had your problem, too, and I simply solved it by defining a <base href> tag in the script's HTML header. This points all relative links and image sources of the included page to the defined URL.
E.g. you run your script on yourhost.com and you include a site from php.net then you would define <base href=">

Of course you have to make your own references in the script global!

christer at frostmo dot com
04-Apr-2002 03:21

The easiest solution to this security risk is, in my oppinion, to add a host string in front of the url specified in the url adress.

example:

<html>
<head><title>php.net</title></head>
<body>

<?php
include(");
?>

</body>
</html>

yup =) It's impossible to include() an page from another server.

Regards,

Christer Frostmo
Norway
www.frostmo.com

toby at butzon dot com
19-Apr-2002 12:15

It's important to understand that remote files included/required into your script are NOT run on your server (as previous posts have suggested).

Think about it this way: When I do this:

<?php include('); ?>

..I'm actually asking PHP to make a separate HTTP request (just as your Web browser would) to www.example.com. So, point your browser to that location. Do you see any PHP code? No. You will only see HTML/text content.

(On the off chance that .php wasn't associated with the PHP module/binary, the code would only be displayed. Thus, you would have to TRY to make a dangerous include scenario -- such as eval()'ing a remoted included file specified by the user.)

Therefore, although this code may be vulnerable to an "untrustworthy information" attack (where the information displayed by your Web site isn't actually information you endorse, even though the information is ultimately transferred from your Web server), you are NOT vulnerable to malicious access to your Web server resources, even if visitors can specify any remote server/file that they please.

klaus at netlibrary dot de
02-May-2002 04:08

In my experience, I cannot agree with Toby. Scripts can indeed be run through remotely included files. All that needs to be done is put the PHP script into an HTML or other file that is not parsed by the remote server.

This theoretically enables a malicious scripter to attack using a series of steps. For example, a simple .htm file with the content

<?php
echo phpinfo();
?>

will give quite a bit of information about the local system and possibly will give enough information to wreak havoc in the server's file system. If you would like to try this out, create an 'includetest.php' in a protected directory on your server with the content

<?php
include $inc;
?>

Pass the file to be included as 'includetest.php?inc=
The page is on one of my less used servers and can be accessed with any browser to show that it is simply the phpinfo() command I described above.

I have tested this on 3 servers, all running PHP < 4.2.0, and unless this was fixed in the latest release, it still works.

php at jerde dot net
06-May-2002 09:22

You must be VERY careful if you allow a variable to control the URL of an include()ed file.

A previous poster suggested:
include(");

This, however, won't work in all cases. For example, set the variable to "@www.evil-site.dom/evil-code.phps"

Your carefully constructed pre-URL is now sent merely as a username to the attacker's web site.

Stripping out "@" and ":" would be a good idea, and THEN you'd probably be safe.

- Peter Jerde
Minneapolis, Minnesota, USA

joachim_php dot net at schirrmachers dot de
05-Jul-2002 03:19

It seems that it isn't possible to replace the standard browser signature sent in an fopen(') call with another value, i.e. the current value of $HTTP_USER_AGENT
elfyn at exposure dot org dot uk
18-Aug-2002 04:48

What toby said is pretty on the line. Same with klaus. But if your going to do something that silly like allowing a third-party to include files into your php script you should atleast 1) re the file contents to see if it contains php tags or 2) use a function in 'String functions' strip_tags to remove any php, although if you use this with the default settings it would remove html.
vlad at vkelman dot com
09-Nov-2002 08:37

There is a good news for klaus at netlibrary dot de and others: PHP 4.2.3. DOES block include('some_html_file'). It doesn't matter if this file has actual PHP inside or not: include() doesn't work. You can use fopen() or readfile(), but this means, the content won't be executed and therefore no more vulnerability exists.
ohlesbeauxjours at yahoo dot fr
03-Dec-2002 03:43

In reply to Vlad who mentionned a problem with PHP version 4.2.3 :
require "
... worked fine for me.
But note that I had to ask my web host supplier to configure its proxy server so that the IP for "www.somewhere.org" can be accepted for http requests.
Otherwise, if you don't desactivate that security mechanism on the web server, you won't see any warning or error messages when you execute your script, but only a "blocked" page, stopped at the instruction "require(")"

buht at mail dot ru
10-Dec-2002 10:16

I`ve read all that You say and try to do next two simple files.
First file make include throught Web:
<?php
include(');
?>

Second File (test.php) make output as html, but result is the new php script:
<?
echo "<?\$ip=getenv('REMOTE_HOST');echo \"IP=\$ip;\";?>";
?>

That work perfectly without searching of server that does not support of php scripts but allow to store php files on it. Extention is also not important.
So that is more secure to reject using of including through Web.
But know somebody any other possibility to include a document as it from another URL using php?

robro at compsoc dot nuigalway dot ie dot nospam
14-Jan-2003 01:37

The easiest way I'd see around the security hold mentioned above would be to turn off allow_url_fopen, using ini_set.

If that is not acceptable you can simply str_replace out the :// part that seperates the protocol from the address.

include( str_replace("://", "", $whatever) );

should do the trick.

add a note

<PUT-Unterst�tzungVerbindungssteuerung>
 Last updated: Sat, 19 Apr 2003
show source | credits | mirror sites 
Copyright © 2001-2003 The PHP Group
All rights reserved.
This mirror generously provided by: /
Last updated: Mon May 12 21:12:21 2003 CEST