[GH-ISSUE #161] use of fopen #128

New issue

Closed

opened 2026-02-26 09:36:08 +03:00 by kerem · 1 comment

kerem commented 2026-02-26 09:36:08 +03:00

Owner

Copy link

Originally created by @simongareste on GitHub (Dec 7, 2015).
Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/161

Hi,

You currently use fopen to check for new versions:

# library/ViMbAdmin/Version.php
$handle = fopen( 'http://www.opensolutions.ie/open-source/vimbadmin/latest-v3', 'r' );

We recently had an attack through this very function last week, on another server, and had to switch off allow_url_fopen in php.ini
Would it be possible to check the latest version using another way?

Originally created by @simongareste on GitHub (Dec 7, 2015). Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/161 Hi, You currently use fopen to check for new versions: ``` # library/ViMbAdmin/Version.php $handle = fopen( 'http://www.opensolutions.ie/open-source/vimbadmin/latest-v3', 'r' ); ``` We recently had an attack through this very function last week, on another server, and had to switch off allow_url_fopen in php.ini Would it be possible to check the latest version using another way?

kerem closed this issue 2026-02-26 09:36:09 +03:00

kerem commented 2026-02-26 09:36:10 +03:00

Author

Owner

Copy link

@barryo commented on GitHub (Jan 7, 2016):

Would it be possible to check the latest version using another way?

No, sorry 😢

There's nothing more or less insecure about fopen() than any other function. It's just about how it's used.

You're free to disable the version check altogether:

https://github.com/opensolutions/ViMbAdmin/blob/master/application/configs/application.ini.dist#L330

I do however appreciate that we could parse the response better. I'll commit a fix for that now - thanks for making me have a closer look 😄

<!-- gh-comment-id:169812387 --> @barryo commented on GitHub (Jan 7, 2016): > Would it be possible to check the latest version using another way? No, sorry :cry: There's nothing more or less insecure about `fopen()` than any other function. It's just about how it's used. You're free to disable the version check altogether: https://github.com/opensolutions/ViMbAdmin/blob/master/application/configs/application.ini.dist#L330 I do however appreciate that we could parse the response better. I'll commit a fix for that now - thanks for making me have a closer look :smile:

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/composer/smarty/smarty-4.3.1

v2

3.4.1

3.4.0

3.3.0

3.2.1

3.2.0

3.1.1

3.1.0

3.0.15

3.0.14

3.0.13

3.0.12

3.0.11

2.2.4

3.0.10

3.0.9

3.0.8

3.0.7

3.0.6

3.0.5

3.0.4

3.0.3

3.0.2

3.0.1

3.0.0

2.2.3

2.2.2

2.2.1

2.2.0

2.1.0

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.1

2.0.0

0.3.4

0.3.3

0.3.2

0.3.1

0.3

Labels

Clear labels   

bug

  

feature

  

feature

  

improvement

  

improvement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

feature

feature

improvement

improvement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ViMbAdmin-opensolutions#128

No description provided.