Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Do file_get_contents and readfile execute PHP code?

Tags:

security

php

I was always sure that the PHP functions file_get_contents and readfile execute any PHP code in any files - regardless of file type - that are given to it. I tried this on multiple setups, and it always worked.

I received a question regarding this here, and the user seems to think that this is not the case.

I looked at the PHP documentation for the functions, and they do not mention code execution (which is something that I would expect if this is normally the case, as it has serious security implications).

I also searched for it, and found a lot of claims that the functions do not execute PHP code. For example:

readfile does not execute the code on your server so there is no issue there. source

Searching for "php file_get_contents code execution" also returns various questions trying to execute the retrieved PHP code, which seems odd if it would indeed normally execute any given PHP code.

I also found one question that asks about not execution PHP code, so execution does seem to happen to others as well.

So my questions are:

  • do the functions file_get_contents and readfile execute PHP code in retrieved files?
  • does this depend on some php.ini setting? If so, what setting(s)?
  • does it depend on the PHP version, and if so, what versions are affected?
  • if it is not normally the case, what may be the reasons that they execute the PHP code in my setups?
like image 472
tim Avatar asked Apr 07 '16 23:04

tim


1 Answers

file_get_contents and readfile do not execute code. All they do is return the raw contents of the file. That could be text, PHP code, binary (e.g. image files), or anything else. No interpretation of the files' contents is happening at all.

The only situation in which it may appear as if execution is happening is:

  1. <?php ?> tags will likely be hidden by the browser because it's trying to interpret them as HTML tags, so this may lead to the impression that the PHP disappeared and hence may have been executed.
  2. You're reading from a source which executes the code, e.g. when reading from http://example.com/foo.php. In this case the functions have the same effect as visiting those URLs in a web browser: the serving web server is executing the PHP code and returning the result, but file_get_contents merely gets that result and returns it.
like image 90
deceze Avatar answered Sep 20 '22 17:09

deceze