2

I am about to implement a code that will be doing a CURL request to a URL to check whether it is a 40x or 50x webpage. but my worry is when my user entered a malicious URL. How safe PHP CURL library can handle this? is PHP CURL will also encounter some exploits same to a web browser?

Netorica
  • 18,523
  • 17
  • 73
  • 108
  • you mean what's the problem with something like `curl_init($_GET['url_userinpit'])`? – Federkun Oct 23 '16 at 09:34
  • @Federkun yes I am thinking that if the curl access a page, the webserver maybe exploited by the accessed website of the PHP curl? – Netorica Oct 23 '16 at 09:35
  • Curl makes the request and returns the response, and that's all. The problem with something like `curl_init($_GET['url'])` is that the user can use protocols such `file://` to read files from the server or access to `http://internal_site_behind_firewall/` to bypass access controls. Something like "I enabled curl to follow the redirects, and the malicious redirect me to `file:///etc/passwd`" are blocked by curl – Federkun Oct 23 '16 at 09:52
  • so the vulnerability will be only if the curl follows the redirection and pointed to a file? – Netorica Oct 23 '16 at 10:00
  • use `filter_var` to ensure that curl is given a genuine `HTTP` URL rather than a `file://` URL or other improper location. – Martin Oct 23 '16 at 10:51

1 Answers1

4

As any other software curl is not perfect and it has its own bugs and security risks. But since CURL doesn't interpret the results, ie. doesn't parse html or javascript, the surface of attack is much smaller. In short, it's much safer than a web browser. Most of the security risks are related to bad programmers that exploit the servers they use to run curl more than end-users.

There is a small risk that somebody could supply a url specifically engineered to exploit CURL and then your site. There is also the improbable risk that your mechanism could be used to harm other people. For instance it could be used to flood other people, by forcing the check of a specific page multiple times. But these are very small risks and are mainly the domain of system administrators, that could monitor usage resources of the whole system and catch bad behaviour.

As a programmer you should probably check the obvious: the request shouldn't continue for a lot of time, the url shouldn't be too long, etc. But you can't really do much else.

Community
  • 1
  • 1