[Closed] allow_url_fopen OFF

Hello,

My ISP doesn't want to set allow_url_fopen to ON for security reasons.

He suggests me instead to use the fonction cURL.

Is there a way to do this? Should I modify the code? If yes, where?

Joomdle seems to be a very good solution to me, so I really would like to use it.

Best regards

Hi. Sorry to hear that.

I think you could get what you want, but you have to modify some files: you would neede to change every file_get_contents functions and related code to use cURL.

As for how to do it, I don't know, as it is been a time since I used cURL.

Hi Antonio,

Thank you for your answer!

I ask again to my ISP why they don't want to set allow_url_fopen=ON

He said that they had several attacks and this question is very sensitive to them.

I wonder if I would be able to find another ISP which would allow this.

So my question is: why should one use "allow_url_fopen=ON" and consequently take security risks if there is another and secure way to do the same job (with cURL)?

Joomdle seems to be a very nice and useful software. I have being looking for this solution for a quiet long time, but... it is also presently risky as I understood it. Why then restrict its use only to those who want to lead a dangerous life? :blink:

Unfortunately, I won't be able to modify myself the code to make is safe (I am far from being an expert, I would have to do it for all the next versions and it would take me to much of my time).

Best regards

Hi.

I guess they have the reasons for not allowing allow_url_fopen on. That said, there are plenty of hosting companies (most of them) who allow it, so I would say the risk must be not that big.
Indeed, I think the risk (if real) is for them (the hosting company) and not you, for running the code (the file_get_contents function just grabs a web page)

That said, I can say we already have the "option to use cURL" in our feature list for some next release, although I am not sure when we will implement it (as that list is pretty big already )

I will tell you when we get into it, in case you want to help with testing.

Regards,
Antonio

Hi Antonio,

Thank you for your answer. Clearly, the perception of risks is quite subjective.

Thank you for the good news!
I will be extremely happy to help with testing the future version with "option to use cURL".

All the best

Hi.

After talking with you I became curious as to how would it be to use cURL. I started taking a look after lunch, and a the end dedicated the rest of the day

Allowing cURL also involved refactoring some code (a task I was always thinking I should do) so it was quite some work.

But at the end:
- Joomdle works with cURL
- Code is nicer

If you want to try it out, that would be great, as I have only tested locally. Just send me a PM with your email address, or tell me if I should use the email account you registered in Joomdle with.

Antonio

I see you couldn't resist the challenge :>)

Hi,

These are very good news! I am very happy to read that!
:woohoo: :woohoo:

As written in my e-mail to you, the Joomdle cURL version seems OK to me, except the synchronisation of data of VirtueMart users (these data are not transmitted at all from VirtueMart to Moodle although the corresponding fields are looked in Moodle).
These are the full user data and those who can be modified by the user (with VirtueMart login).

Just for closing:

cURL support will be added in R0.25. It is working in testing already.

As for the VM bug, it is not related to cURL, and it will be fixed in R0.25 too.