1

I have a page like this. User write an URL into a form and submit. Once the URL is submitted, I connect that page with CURL, search for a string. If it finds the string, it adds URL into our database. If not, it gives an error to user.

I sanitize URL with htmlspecialchars() also a regex to allow A-Z, 1-9, :/-. symbols. I also sanitize the content retrieved from other website with htmlspecialchars() also.

My question is, can they enter an URL like; www.evilwebsite.com/shell.exe or shell.txt

Would PHP run it, or simply look for the HTML output? Is it safe as it is or if not, what should I do?

Thank you.

Ps. allow_url_fopen is disabled. That's why I use curl.

Improve this question
0

2 Answers 2

Reset to default
5

I don't see why htmlspecialchars or a Regex would be necessary here, you don't need those. Also, there is no way that PHP will "automatically" parse the content retrieved using cURL. So yes, it is save (unless you do stuff like eval with the output).

However, when processing the retrieved content later, be aware that the input is user-provided and needs to be handled accordingly.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Actually, the only thing I do with the retrieved content is doing a basic regex scan. For example, if the retrieved content contains a "Hello" text anywhere, it will insert the URL into database. If not, it will error user like "Hello text is not found in this page." Is there any steps I should take while scanning for "Hello" text?
@AnılÜnal: No, that's perfectly secure. But you should still drop that unnecessary sanitization, it could break certain URLs and cause denial of service.
htmlspecialchars() does not save you from the eval eye :-) I think his point was to prevent XSS.
1

curl makes a request and to a server and the server sends back data. If there were an executable file on a web server you'd get back the binary of the file. Unless you write the file to your disk and execute it there should be no problem. Security in that sense should not be an issue.

Improve this answer

3 Comments

Unless you find some vulnerability in the version of cURL the server is using or the PHP script parsing it, at which point you have complete control of the data going to it (if you host the provided URL )
Well what you do with the data can cause security flaws but cURL should not. The only vulnerability I can think of is buffer overflows, but PHP handles and protects against that. What sort of vulnerabilities are you thinking about?
@Patrick: PHP handles and protects against that? That's news to me. Also, there exist plenty other types of vulnerabilities, especially in software like PHP. But that's not actually relevant to the question, as you can't do much against that risk short of sandboxing your web-server.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.