Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:4622
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <002701c3877f$a2369bb0$8b018552@titan>
To: "Rob Richards" <rrichards@ctindustries.net>,
	<internals@lists.php.net>
Date: Tue, 30 Sep 2003 19:21:09 +0100
Organization: The Brain Room Ltd.
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [PHP-DEV] filepaths, uris, safemode, etc..
From: wez@thebrainroom.com ("Wez Furlong")

Sorry about the forwarding... had a little hiccup with my mail server...

----- Original Message ----- 
From: "Wez Furlong" <wez@thebrainroom.com>
To: "Rob Richards" <rrichards@ctindustries.net>; <internals@lists.php.net>
Sent: Tuesday, September 30, 2003 7:10 PM
Subject: Re: [PHP-DEV] filepaths, uris, safemode, etc..


> Hi Rob,
>
> The streams code, and also sqlite does this when checking for safemode for
> local files:
>
> if (PG(safe_mode) && (!php_checkuid(path, NULL,
> CHECKUID_CHECK_FILE_AND_DIR))) {
>     return SQLITE_DENY;
> }
> if (php_check_open_basedir(path TSRMLS_CC)) {
>     return SQLITE_DENY;
> }
>
> You'll probably want to check if the path is a URI or local path first;
the
> streams code checks for :// to make this decision.
>
> If you're planning to tie streams into libxml, feel free to reuse the code
I
> added to pecl/soap:
> http://cvs.php.net/diff.php/pecl/soap/php_xml.c?r1=1.5&r2=1.6&ty=u
> http://cvs.php.net/diff.php/pecl/soap/soap.c?r1=1.15&r2=1.16&ty=u
>
> --Wez.
>
>
> ----- Original Message ----- 
> From: "Rob Richards" <rrichards@ctindustries.net>
> To: <internals@lists.php.net>
> Sent: Tuesday, September 30, 2003 12:52 PM
> Subject: [PHP-DEV] filepaths, uris, safemode, etc..
>
>
> Within the dom extension, I am trying to resolve an issue with uris and
> local filepaths which are passed to libxml.
> When I get the filepath, I need to resolve any local filepaths to an
> absoulte path. On top of this the safemode checks need to be done before
> passing any of these to libxml.
>
> So far I started with taking the user supplied source string and running
> that through the safemode checks.
> If this passes, then the source is tested as follows:
>
> If uri, then it is passed to libxml, otherwise it gets passed through
> expand_filepath and the resolved path is passed to libxml.
>
> It has been noted that file uris should not be passed in directly, but go
> through the same path resolutions as local files and that the following
> block of code be used instead of just using expand_filepath on all non uri
> and file uri source strings:
> #ifdef VIRTUAL_DIR
>     virtual_filepath_ex(source, &resolved_path, NULL TSRMLS_CC);
> #else
>     resolved_path = source;
> #endif
>
> My problem is that if VIRTUAL_DIR is not defined, then the resolved path
> ends up being the origional source supplied, which means that relative
paths
> are not resolved. Also, should the path resolutions be done before the
> safemode checks?
>
> On top of this I am looking at allowing additional registered streams to
be
> used, so not sure if that would change any of this.
>
> What is the correct way to implement this?
>
> Thanks,
>
> Rob
>
>