Contrib.social

Security issue: Use of fopen (allow_url_fopen)

Open on Drupal.org →
Created on 1 November 2017, about 7 years ago
Updated 28 November 2024, 24 days ago

Request

Please remove the use of fopen() from Smart IP. When the recommend php.ini server setting of ‘allow_url_fopen = Off’ is set, Smart IP throws errors and does not download the MaxMind GeoIP2 binary database.

To Recreate

Settings from /admin/config/people/smart_ip

Use MaxMind GeoIP2 binary database.
MaxMind GeoIP2 binary database version => Lite
MaxMind GeoIP2 binary database edition => City
Automatic MaxMind GeoIP2 binary database update  => Yes

‘Update database now’ results in:

Database last updated on 11/1/2017 at 12:28:04 CDT

Even though no database has been download. An empty file is created.

‘Recent log messages’ contains the actual error:

Warning: fopen(): http:// wrapper is disabled in the server configuration by allow_url_fopen=0 in smart_ip_maxmind_bin_db_update() (line 461 of sites/all/modules/smart_ip/includes/smart_ip.utility.inc).

Manual fix

cd sites/default/files/private/smart_ip
rm GeoLite2-City.mmdb
wget -c "http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz" *
tar -zxf GeoLite2-City.tar.gz
cp GeoLite2-City_20171003/GeoLite2-City.mmdb .

* From https://dev.maxmind.com/geoip/geoip2/geolite2/

You will need to change path(s) and/or filename(s) based upon your site’s settings.

After manually adding the file, per above, the rest of Smart IP seems to work properly.

You are also advised to turn off automatic updates, see next section.

Additional Errors

Changing

Automatic MaxMind GeoIP2 binary database update  => No

Results in a near WSOD upon ‘Save configuration.’

The configuration options have been saved.
The website encountered an unexpected error. Please try again later.

The change is saved as can be seen after reloading the /admin/config/people/smart_ip page.

Similar issues (w/ patches)

#2847364: Fallback to cURL if allow_url_fopen disabled in PHP configuration (D8)

Although why not use one of the Drupal 7 API calls instead?

https://api.drupal.org/api/drupal/modules%21system%21system.module/funct...
https://api.drupal.org/api/drupal/includes%21file.inc/function/file_crea...

Security background on why allow_url_fopen should always be off:

https://stackoverflow.com/questions/127534/should-i-allow-allow-url-fope...
https://security.stackexchange.com/questions/103427/what-are-php-allow-u...

or Google for yourself...

Note: Drupal is never the only thing on a server…

🐛 Bug report
Status

Closed: outdated

Version

2.50

Component

Code

Created by

🇺🇸United States Michael-IDA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 24 days ago
    heddn Nicaragua

    Drupal 7 is no longer supported in a month. Closing old issues. If this is still something you want addressed in the current 5.x version of the module, please re-open and provide some next steps.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024