Please don’t use file to access remote urls.

Hi all,
Can i suggest that we don’t use the file or fopen functions to open remote urls? This is pretty much a security hole just waiting to happen. In fact, I’ve turned off allow_url_fopen to prevent such evil.
If someone has register_globals on, there’s precious little stopping someone from redefining the variable containing the remote URL with something pleasantly malicious, or changing the url and turning every instance of b2 into a DOS bot, or stealing cookies by displaying theft code,etc, etc, etc.
Instead I’d suggest using curl or the like to safely fetch remote content.
e.g.
in links.weblogs.com.php:73
$file = safeUrlFetch($weblogs_xml_url);
## Safer way to fetch remote data. Less likely for someone to go and
## pass in a variable named $weblogs_xml_url.
function safeUrlFetch($remoteUrl)
{
#check that the url begins with ‘http’
$remoteUrl = strstr($remoteUrl,’http’);
if (!$remoteUrl)
{
# It’s invalid, no soup for you.
return [];
}
# fetch the data into a buffer
$ch = curl_init($remoteUrl);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$rawData = curl_exec($ch);
curl_close($ch);
# and split the data on new lines to behave like file()
return split(“\n”,$rawData);
}
Granted, someone could still find some exploit with the result code, but at least this would work on sites as paranoid as I am.