[RESOLVED] using include() or require() from a remote webserver

semtex

I'm using include() and require() a few times in my website to include documents that reside on another web server (where my CMS resides).

Normally I use the extension .inc.php to indicate my include files. The cool thing about the .php extension is of course that no one can read the include files when they are accessed directly from a browser (they're parsed as php).

But because I'm including these files from a remote webserver, I can't use the .php extension. Because if I do, the include files are parsed as php before they're included. So I have to use the extension .inc

The bad thing now is that everyone can see the source code of these .inc files when accessed directly from their browser. So I want to protect these files, but I don't know how. Htaccess is no option because if i use that, i can't include the files anymore.

Installer

Did you try using <FilesMatch> in .htaccess, along with deny, allow?

semtex

hmmm... interesting. does that mean you can't access a particular file directly? yet you can access it through another document?

Installer

Give it a try.

<FilesMatch "regular expression to match your files">
Order Deny,Allow
Deny from all
Allow from example.com
</FilesMatch>

MarkR

Do not use require() or include() on remote files - you do not understand what it does and it does something which is NEVER desirable.

Using include() on a remote file will create a potential security compromise if the remote server is ever compromised (or if it's under a different administrative domain in the first place). Just don't do it.

If you must fetch data from an external server in realtime, read it with the fopen() group of functions, such as fopen or file_get_contents, then don't evaluate it as PHP code. Make whatever sanity checks etc are necessary before displaying it (e.g. validation, escaping).

If you think you need to execute code from a remote server, you probably need to redesign your application so you don't.

Mark

bradgrafelman

Why are you trying to parse PHP data from a different server? Can you not simply host these PHP files locally?

If not, can't you simply make the remote PHP scripts output any data you need instead? I'm having a hard time finding any reason why hosting PHP source code across different servers would be useful.

MarkR wrote:
If you think you need to execute code from a remote server, you probably need to redesign your application so you don't.

semtex

Wel, actually, it's on the same webserver, but on another domain. I have a CMS set up on my own domain. The websites that use this CMS are hosted on the same webserver and use the CMS for updating their content. All my classes are on my own domain. I do it like that because it gives me the ability to easily upgrade my CMS for all websites.

That's the reason. If you think there's a better solution for this, let me know. This discussion is very interesting to me.

bradgrafelman

If safe_mode isn't enabled, you can still use the full system path, i.e.

include_once '/home/myotherdomain.com/public_html/includes/myFile.php';

Find out the full path of the PHP files and try including them locally.

semtex

safe_mode is enabled. so the full system path doesn't work.

i will look into the fopen() group of functions now.

semtex

MarkR wrote:
Do not use require() or include() on remote files - you do not understand what it does and it does something which is NEVER desirable.

Using include() on a remote file will create a potential security compromise if the remote server is ever compromised (or if it's under a different administrative domain in the first place). Just don't do it.

If you must fetch data from an external server in realtime, read it with the fopen() group of functions, such as fopen or file_get_contents, then don't evaluate it as PHP code. Make whatever sanity checks etc are necessary before displaying it (e.g. validation, escaping).

If you think you need to execute code from a remote server, you probably need to redesign your application so you don't.

Mark

Hi Mark, why would using file_get_contents() be more secure than using include()?
Is it because you can do the essential checks when using file_get_contents()?

If yes, what checks would be the most essential? Could you supply an example and why it is necessary? Sorry if I'm asking to much. You've been a great help so far.

MarkR

semtex wrote:
Hi Mark, why would using file_get_contents() be more secure than using include()?

Because include() would retrieve a file from the remote server, and immediately EXECUTE IT AS PHP.

This of course, creates a massive potential security hole, as if someone was to compromise the remote server they could run arbitrary code on yours!

Mark

semtex

and what would be the most essential checks before I eval() the string?

bradgrafelman

Well, you'd want to make sure the string isn't something like "2 + 2; exec('rm * -rf');" etc.