Toolset Types broke after update

  • I’ve find a security problem with this plugin.
    After I update that, it broke!

    It always show me that message: “file_get_contents() has been disabled for security reasons in <b>/home/www/wp-content/plugins/types/library/twig/twig/lib/Twig/Loader/Filesystem.php”

    My website is installed in AWS, and they probabily blocks that old function.

    So, I’ve decided to replace this original function in the file “Filesystem.php”:

    public function getSource($name)
    {
    return file_get_contents($this->findTemplate($name));
    }

    for this:

    public function getSource($name)
    {
    if (function_exists(‘curl_exec’)){
    $conn = curl_init($name);
    curl_setopt($conn, CURLOPT_SSL_VERIFYPEER, true);
    curl_setopt($conn, CURLOPT_FRESH_CONNECT, true);
    curl_setopt($conn, CURLOPT_RETURNTRANSFER, 1);
    $url_get_contents_data = (curl_exec($conn));
    curl_close($conn);
    }elseif(function_exists(‘file_get_contents’)){
    $url_get_contents_data = file_get_contents($name);
    }elseif(function_exists(‘fopen’) && function_exists(‘stream_get_contents’)){
    $handle = fopen ($name, “r”);
    $url_get_contents_data = stream_get_contents($handle);
    }else{
    $url_get_contents_data = false;
    }
    return $url_get_contents_data;
    }

    And works fine to me!

Viewing 1 replies (of 1 total)
  • Anonymous User 14808221

    (@anonymized-14808221)

    TWIG is a widely used Library, used by several Plugins.
    We cannot change the Content of that Library unless we want to create our own.

    We use this function also elsewhere in our Files.

    I don’t know of any security flaws of file_get_contents().
    Can you point me out to online documentation where this is declared as unsafe?

    We would of course then analyse it if in Types this is used safely.
    It is not common to block that function.

Viewing 1 replies (of 1 total)
  • The topic ‘Toolset Types broke after update’ is closed to new replies.