Setting allow_url_fopen to false used to be a common security practice, as it prevented include()ing phpfiles (I see this task has been taken over by allow_url_include). So this'll be a common occurence.
SInce there's a dependency on curl already, and using curl gives you more control over the process anyway, I added this to ykval-common.php:
--- ykval-common.php.old 2013-09-25 21:33:32.000000000 +0200
+++ ykval-common.php 2013-10-08 00:51:40.764063673 +0200
@@ -208,8 +208,51 @@
return $str;
}
-function retrieveURLsimple ($url, $match="^OK") {
- foreach (file($url) as $line) {
+function retrieveURLsimple ($url, $logger, $match="^OK") {
+ global $baseParams;
+
+ $result = array();
+ if (!ini_get('allow_url_fopen')) {
+
+ $ch = curl_init();
+
+ curl_setopt($ch, CURLOPT_URL, $url);
+ curl_setopt($ch, CURLOPT_HEADER, 0);
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+ curl_setopt($ch, CURLOPT_FAILONERROR, 1);
+ curl_setopt($ch, CURLOPT_TIMEOUT, 5);
+
+ // if https, we really should check the CA for the KSM
+
+ if (substr($url,0,8) == "https://") {
+ if (isset($baseParams['__YKVAL_CAPATH__'])) {
+ // point this to your local selection of acceptable CA certificates,
+ // don't forget to run c_rehash if you're using openssl
+ curl_setopt($ch, CURLOPT_CAPATH, $baseParams['__YKVAL_CAPATH__']);
+ }
+ }
+
+ $result = curl_exec($ch);
+ if (curl_errno($ch)!=0) {
+ $logger->log(LOG_INFO, 'curl failed: '.curl_error($ch));
+ curl_close($ch);
+ return false;
+ }
+
+ curl_close($ch);
+
+ $result = explode("\n",$result);
+
+ } else {
+ $result = file($url);
+ }
+
+ //left here to aid debugging
+ //$logger->log(LOG_DEBUG, log_format("YK-KSM url: ", $url));
+ //$logger->log(LOG_DEBUG, log_format("YK-KSM response: ", $result));
+ //curl_setopt($ch, CURLOPT_VERBOSE, 1);
+
+ foreach ($result as $line) {
if (preg_match("/".$match."/", $line)) {
return $line;
}
@@ -221,17 +264,17 @@
function KSMdecryptOTP($urls, $logger) {
$ret = array();
if (!is_array($urls)) {
- $response = retrieveURLsimple ($urls);
+ $response = retrieveURLsimple ($urls, $logger);
} elseif (count($urls) == 1) {
- $response = retrieveURLsimple ($urls[0]);
+ $response = retrieveURLsimple ($urls[0], $logger);
} else {
$response = retrieveURLasync ("YK-KSM", $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10);
if (is_array($response)) {
$response = $response[0];
}
}
Feel free to hack away at this if you don't like the global, for example, of if you feel the old way of doing it should be removed.