Reputation: 54791
How to prevent cURL from connecting to localhost?
I'm implementing a PHP service that allows a bookmarking app to fetch the page titles of URLs. The server will download the HTML and extract the page title, but this requires that the user provides the URL to fetch.
From a security standpoint, I'm thinking that the user could attack the localhost to see if there are any HTTP services that are not exposed externally.
I have tried to configure which network interface cURL should use, but this requires that the PHP be configured with which interface. That might be an issue when I run this service in a container like Docker which would make that more difficult.
Is there a configuration option for cURL that prevents connections to the localhost?
Or is there a way to tell cURL to only use the external network interface?
Upvotes: 1
Views: 627
Answers (1)
Reputation: 21513
check this answer, and this code in particular
$info=parse_url($url);
$host=strtolower($info["host"]);
if ($host === "localhost" || ((false !== filter_var ( $host, FILTER_VALIDATE_IP )) && (false === filter_var ( $host, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE )))) {
$errors [] = "localhost and LAN IP URLs are not allowed.";
}
(but as explained in the referenced answer, you should probably also watch out for non-http urls supplied by hackers, such as file:///etc/passwd, which would make curl return filesystem-local files..)
Upvotes: 1
Related Questions
- PHP - curl localhost connection refused
- PHP Curl does not work on localhost?
- What is equivalent for "curl -v --noproxy localhost" in php?
- PHP cURL redirects to localhost
- Curl not able to Connect to host while Curl is enabled on Server
- Localhost URL works in browser but returns bool(false) for PHP curl_exec
- How can I protect my website content from being accessed by cURL?
- cURL connecting to the localhost when given a bad URL
- using curl from localhost
- Prevent remote script using PHP CURL from logging into website