Does this package require allow_url_fopen to be enabled ?
Closed this issue · 1 comments
Hi,
just a quick question, does your package require allow_url_fopen to be enabled in the server php.ini ?
I coded a simple Laravel Rule to verify a CaptchaV3 token, using the official Google composer package.
The problem is that this package requires allow_url_fopen to be allowed in php.ini.
I really have no idea if this is a valid security concern... but on my VPS host, they actually say that having this option enabled might be a security risk.
So, I was wondering if I should switch to your package.
Thanks
TL;DR: Not unless you don't have cURL in your server, which is highly unprobable.
Long:
Not directly. It uses Laravel's HTTP Client, which is Guzzle under the hood.
Guzzle tries to use cURL, which is widely adopted on all VPS servers, as first option. If not, it will fallback to PHP Socket Streams, which require allow_url_fopen.
Your VPS provider is technically not wrong. It may pose a security risk because, in a nutshell, it allows to open files as URLs, like etc/passwd, and expose the contents.
I released a new major version of Captchavel because of the same reason. Before it used the official Google SDK, which uses PHP Streams witch in most scenarios is unreliable, slow or blocking. I pushed an update on that, but they ignored it for one fucking year, so I made my own.
Godspeed.