XF 1.5 file_get_contents

[Robert9]

There are two addons i use:
1. https://xenforo.com/community/resources/convert-image-resource.4779/ running
2. https://xenforo.com/community/resources/import-avatar-from-url.3861/ not running any more?

While Andy uses for 1) some more code with CURL to fetch the image, Nobita just uses

        $content = @file_get_contents($url);

        $imginfo = @getimagesize($content);

I have to find out, why Nobitas addon is not running for me; maybe the functions from above are not useable anymore?
Why one juses two lines of code, the other one CURL with much more lines?

 

[Sim]

Have you moved hosts recently or changed anything else about your hosting?

Some hosts and security setups specifically disable file_get_contents because it is seen as a security risk (could be used to retrieve arbitrary files from the filesystem by a remote hacker).

 

[Kirby]

Using file_get_contents() with local files isn't any more unsafe then fopen(), which realistically can't be disabled.

Furthermore, if file_get_contenst() was disabled it would generate an error if this function was being used.

Therefore I think it is much more likely that the new host has set allow_url_fopen = 0, which did indeed increase security significantly in older PHP versions until allow_url_include was introduced.

 

[Robert9]

Maybe the new test web has other config than the running web.
I have solved it by using curl to fetch the image to temp and convert it to resource_icons.

 

[Sim]

Using file_get_contents() with local files isn't any more unsafe then fopen(), which realistically can't be diabled.

Furthermore, if file_get_contenst() was disabled it would generate an error if this function was being used.

Therefore I think it is much more likely that the new host has set allow_url_fopen = 0, which did indeed increase security significantly in older PHP versions until allow_url_include was introduced.

Yes, that's kind of what I was getting at - but you've explained it far more eloquently. I also had it backwards - the reason for disabling it is to prevent a hacker managing to get the code to retrieve a remote URL containing malicious code.

For @Robert9 's benefit - take a look at the PHP ini setting allow_url_fopen ... as mentioned by @Kirby it sounds like this option is disabled, which means that file wrappers such as file_get_contents and fopen are not permitted to access remote URLs and are limited to access the file system.

 

[Chris D]

Furthermore, if file_get_contenst() was disabled it would generate an error if this function was being used.

The code wouldn't generate an error because it is prefixed with @. That will silence all errors.

For debugging purposes, I'd recommend removing those @ symbols which should expose the error either of those functions is running into.

It's fine, in some cases, to use the shut up operator, but I assume this is just totally silent failing. Clearly that's a poor experience when the user runs into issues. If you must use it, at least test that you're receiving an expected value and either log or throw an exception if you aren't.