From: Rick Karnesky <karnesky@gm...> - 2014-04-30 17:07:05
> Recently I deployed refbase on a server where allow_url_fopen was
> deactivated. Although
> http://www.refbase.net/index.php/Required_PHP-INI_Settings states that
> allow_url_fopen is only needed for (doi) import it is also used when
> showing the most recent publications on the refbase home page.
Indeed. Thanks for pointing that out. Older versions of refbase didn't
have this restriction. 'index.php' has a suggestion for replacing this
with an AJAX action. If you don't care about importing from a URL, I'd
suggest making that modification instead.
> I changed includes/include.inc.php (see attachment, the source is
> written in the comments) to use curl for fetching the data. Is there
> some security risk in this? Maybe this could be included in the trunk
> for users who cannot use `fopen'. I'm new to php though, so this code
> should be reviewed by someone more experienced.
It should be safe for index.php (there is no user-entered data that gets
put into the URI that is being fetched). But then so should the AJAX
The only other place that function is used is, as you said, on import
from a URI. This does allow user-enterable data & we'd need to be
careful to ensure that your function is safe.
Because we already support the AJAX method for the index.php, I'm not
going to push this code into SVN. But thanks for your comments. That
helps improve our online documentation.