allow_url_fopen is an important security problem. Please, Disable it!

[imotor]

It is neccesary allow_url_fopen for use reCaptcha system.
This php directive is a important security issue when is enable.
Please, it is necessary that we can use reCaptcha system without having allow_url_fopen enabled.

[Aficionado]

Nothing wrong with allow_url_open set to ON.

Just go ahead with your site and don't worry about that.

[grazz]

I also have a problem with the reCaptcha version 2 requiring allow_url_fopen to be set to On. The problem (and this is not un-common) is that my hosting provide enforces allow_url_fopen to Off. The hosting provider say this is due to security concerns. I have no option to enable this setting. I suspect many other people are in a similar position.

Google have just announced that the reCaptcha version 1 will end by May 2018. At this point if OSClass doesn't support version 2 without having allow_url_fopen:On I will have to migrate to another advert software. I suspect many others will be in a similar position.

Unfortunately, considering the number of spammers on the Internet the use of reCaptcha is vital.

Please can the OSClass team consider amending the reCaptcha version 2 code to curl rather than fopen

[Aficionado]

I think other plugins also require allow_url_fopen: ON.

Also your hosting providers are not that good, so both you better find a new and good one.

[imotor]

I think other plugins also require allow_url_fopen: ON.

True, but in may case, I have a lot of webs in my server (differents forums, joomla, wordpress, reCaptcha v2, etc...) and I have allow_url_fopen disable without problems.

Please can the OSClass team consider amending the reCaptcha version 2 code to curl rather than fopen

This is the best option: use curl instead of fopen. Why not?

[dev101]

If your hosting enforces it to off, ask them if they allow an override with custom php directives.
They should, and if they don't, find a better hosting.

Thing about recaptcha (or any other code that require communication with the outside world) is that you only have few options, really: allow_url_fopen or cURL or some custom cURL library. No other way, I'm afraid. And, if you get compromised with some shell or malicious code, they will check both for presence, and if not found, they might implement the support in some other way directly in their code. If you shut your site/server from outside communication entirely (e.g. with firewall rules), it will be much more secure, but also very limited in what it can do. For example, you can whitelist some domains/servers, so that captcha always works, but that goes beyond simple forum reply's scope.

[imotor]

If your hosting enforces it to off, ask them if they allow an override with custom php directives.
They should, and if they don't, find a better hosting.

I have my own server and I am the administrator.

I'm sorry for my insistence but ReCaptcha can work without allow_url_fopen, and I do not understand why we have to use other options. 

[Aficionado]

Well, then don't use it. Use some other prevention method.

[grazz]

I have been in touch with my hosting provider and they will not allow an override to allow_url_fopen. This is not an unusual position, many hosting providers apply the same policy. I think the OSClass community are missing a trick here. reCaptcha is vital to avoid spammers and by only allowing reCaptcha v2 to work with allow_url_fopen = On, OSClass will not be used by many people in the future, the usage will drop as people realise the reCaptcha v1 ends in May 2018 and they cannot move to v2

Please can the community consider what ought to be a simple switch from using fopen to curl

Thanks

[imotor]

Well, then don't use it. Use some other prevention method.

Of course, I have no other option. 

[imotor]

I have been in touch with my hosting provider and they will not allow an override to allow_url_fopen. This is not an unusual position, many hosting providers apply the same policy. I think the OSClass community are missing a trick here. reCaptcha is vital to avoid spammers and by only allowing reCaptcha v2 to work with allow_url_fopen = On, OSClass will not be used by many people in the future, the usage will drop as people realise the reCaptcha v1 ends in May 2018 and they cannot move to v2

Please can the community consider what ought to be a simple switch from using fopen to curl

Thanks

Totally agree.
The question is, why is it necessary to use ReCaptcha with allow_url_fopen = On in Osclass? I do not expect an answer, but perhaps there is a compelling reason.

[Aficionado]

Hosting providers that know their job well, allow to overide several restrictions PER SITE or PER PLAN.

Usually with a php.ini in the root of the site or within the site folder.

I was able to do that and use "auto_prepend_file" and secure my Osclass with a firewall script wrapper.

That is why i carefully selected a hosting provider, AFTER beein burned by a few. Search for Cloud Linux maybe, that totally isolates customers and if one goes down, there is no risk for others.

All-in-all Catptcha is what it is right now, find a provider that allows some options, or use some other way to protect from spam.

I bet you dont'  have spam right now, but worry you will have some in the future.

[Aficionado]

Or some programmer could change the plugin and use curl. Some code (random) i found searching, as an example:

Code: [Select]

if ( function_exists('curl_version') ) {
$ch = curl_init($google_url);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
curl_close($ch);
} elseif ( ini_get('allow_url_fopen') ) {
$response = file_get_contents($google_url);
} else {
$form->errors['recaptcha'] = $config->get('error', 'Unable to check ReCaptcha');
$form->debug[$action_id][self::$title][] = $response['Neither cURL nor file_get_contents() were available to check the ReCaptcha'];
$this->events['fail'] = 1;
return;
}
or some ideas here:


https://forum.opencart.com/viewtopic.php?t=161727

[grazz]

I have about 40 spammer registrations per day with recaptcha v1 active hence wanting to move to recaptcha v2 which should be more effective at stopping spammers.

I'll look through the code and see if I can work out how to replace fopen with curl myself. If anyone have any pointers as to where in the code the recaptcha functions are I'd appreciate any clues

Thanks

[Aficionado]

Also try Liath's SPAM plugin, available at Osclass Market. It is great, trust me.