PHP Errors – HTTP API Should be Used, not file_get_contents()

  • Resolved blackhawkcybersec

    (@blackhawkcybersec)


    7 years, 11 months ago

    We were testing the plugin out, and found that you’re using the file_get_contents() function to request URLS.

    The following errors fire:

    
/XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 654
PHP Warning:  file_get_contents(https://static.webhosting.dk/1mbfile): failed to open stream: no suitable wrapper could be found in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 654
PHP Warning:  file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 655
PHP Warning:  file_get_contents(https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.js): failed to open stream: no suitable wrapper could be found in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 655
PHP Warning:  file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 658
PHP Warning:  file_get_contents(https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.js): failed to open stream: no suitable wrapper could be found in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 658
PHP Warning:  file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 659
PHP Warning:  file_get_contents(https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.js): failed to open stream: no suitable wrapper could be found in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 659
PHP Warning:  file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 660
PHP Warning:  file_get_contents(https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.js): failed to open stream: no suitable wrapper could be found in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 660
PHP Warning:  file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 661
PHP Warning:  file_get_contents(https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.js): failed to open stream: no suitable wrapper could be found in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 661
PHP Warning:  file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 662
PHP Warning:  file_get_contents(https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.js): failed to open stream: no suitable wrapper could be found in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 662
PHP Warning:  file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 663
PHP Warning:  file_get_contents(https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.js): failed to open stream: no suitable wrapper could be found in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 663
PHP Warning:  file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 671
PHP Warning:  file_get_contents(https://static.webhosting.dk/1mbfile): failed to open stream: no suitable wrapper could be found in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 671

    Sorry to be blunt, but using file_get_contents() to retrieve URLs is a bad coding practice for both compatibility and security.

    Security:

    You are potentially putting user websites at risk by using the file_get_contents() function to retrieve URLS. This is quite possibly the single worst way to retrieve remote files/URLS. For best security, servers should set allow_url_fopen and allow_url_include options to Off (or 0) in their php.ini settings, which will prevent scripts from retrieving or including remote URLS using insecure methods, thus reducing the risk of various exploits.

    Also, since you are requesting insecure URLs (non-https), this opens sites using your plugin up to Man in the Middle attacks. Not only does SSL/TLS encrypt the data, but it also provides verification the the requested site is legit, and not an imposter. Any time a plugin or script requests data from an external site, it needs to be done via HTTPS. If you want to give the user the option to use either HTTPS or HTTP, then you need to set the default to secure, and only switch to insecure if the user has made a specific choice, and should provide a security warning if the insecure option is chosen.

    Compatibility:

    As mentioned above, many sites set allow_url_fopen and allow_url_include to Off in their php.ini settings for security reasons. Best security practices require this If you depend on the file_get_contents() function, your plugin won’t be very compatible.

    Even using CURL would even be preferred to file_get_contents(), but calling CURL directly is not a WordPress coding best practice, and therefore not recommended. Plugin developers should be using the WordPress HTTP API for retrieving remote URLs, as it provides a secure framework, and takes care of potential compatibility issues. More info on the HTTP API in the developer docs.

    Additionally the following error fired:

    
PHP Notice:  Undefined variable: headertext in /XXXXXX/wp-content/plugins/mywebtonet-performancestats/mywebtonet-performancestats.php on line 363

    While an undefined variable is technically not a major issue, it’s still best practice to initialize all variables, to prevent unexpected results.

    Please fix these glaring issues.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author mywebtonet

    (@mywebtonet)

    Hi

    This has been sorted a while back, all in order.

    Rgds

    Plugin Author mywebtonet

    (@mywebtonet)

    Hi Blackhawk

    this issue has been resolved 5 months ago, and you have still not changed your rating for this plugin, we appreciate you had a look at it, and the issue you reported was corrected, can we ask you to update your review?

    Rgds

    Plugin Author mywebtonet

    (@mywebtonet)

    Hi Blackhawk

    Set as resolved now.

    Rgds

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘PHP Errors – HTTP API Should be Used, not file_get_contents()’ is closed to new replies.