building a 'simple' php url proxy

Question

I need to implement a simple PHP proxy in a web application I am building (Its flash based and the destination service provider doesn't allow edits to their crossdomain.xml file)

Can any php gurus offer advice on the following 2 options? Also, I think, but am not sure, that I need to include some header info as well.

Thanks for any feedback!

option1

$url = $_GET['path'];
readfile($path);

option2

 $content .= file_get_contents($_GET['path']);

 if ($content !== false) 
 {  

      echo($content);
 } 
 else 
 {  
      // there was an error
 }

Woah. I think my eyes hurt. Please escape that `$_GET` parameter. — Franz, Jan 20 '10 at 17:04

TuomasR · Answer 1 · 2014-10-02T04:23:23.667

5

First of all, never ever ever include a file based only on user input. Imagine what would happen if someone would call your script like this:

http://example.com/proxy.php?path=/etc/passwd

Then onto the issue: what kind of data are you proxying? If any kind at all, then you need to detect the content type from the content, and pass it on so the receiving end knows what it's getting. I would suggest using something like HTTP_Request2 or something similar from Pear (see: http://pear.php.net/package/HTTP_Request2) if at all possible. If you have access to it, then you could do something like this:

// First validate that the request is to an actual web address
if(!preg_match("#^https?://#", $_GET['path']) {
        header("HTTP/1.1 404 Not found");
        echo "Content not found, bad URL!";
        exit();
}

// Make the request
$req = new HTTP_Request2($_GET['path']);
$response = $req->send();
// Output the content-type header and use the content-type of the original file
header("Content-type: " . $response->getHeader("Content-type"));
// And provide the file body
echo $response->getBody();

Note that this code hasn't been tested, this is just to give you a starting point.

edited Oct 02 '14 at 04:23

answered Jan 20 '10 at 20:14

TuomasR

2,296
18
28

really appreciate the feedback!! Will use as a starting point and let you know how it goes. I'm not a php coder but would think that there are lots of situations that demand this type of proxy... – Bachalo Jan 20 '10 at 21:25
just 1 syntax error I discovered, missing a closing bracket on the if(!....line And I also discovered need to install a missing HTTP_Request2 php class on my server – Bachalo Jan 20 '10 at 22:49
You're using `new HTTP_Request2($_GET['path'])'`, too. Does this have some internal validation or should you add something like that, too. – Franz Jan 20 '10 at 23:13
Franz: The path is first evaluated with preg_match to see if it's really a URL, see the first line of the script. – TuomasR Jan 21 '10 at 06:47
I just want to point out, that the regular expression should start with ^ to anchor it to the beginning of the string - otherwise someone could still read a file, by hiding the "http" part somewhere near the end of the file name (possibly after a ":" or a space). – qbolec Sep 30 '14 at 07:19

score 0 · Answer 2 · answered Jan 21 '10 at 20:06

Here's another solution using curl Can anyone comment??

$ch = curl_init();
$timeout = 30;
$userAgent = $_SERVER['HTTP_USER_AGENT'];
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_USERAGENT, $userAgent);

$response = curl_exec($ch);    
if (curl_errno($ch)) {
    echo curl_error($ch);
} else {
curl_close($ch);
echo $response;
}

building a 'simple' php url proxy

2 Answers2

Linked