tags:

views:

59

answers:

1
+1  Q: 

How to SAFELY include a file for use with use with Zend_Reflection?

I'm using Zend_Reflection to generate an extended format set of ctags for use with my text editor. The problem is that you have to include any files that you wish to process.

The constructor for Zend_Reflection_File checks to see if the file you wish to reflect has been included, and if not it throws an exception: 

// From Zend/Refection/File.php (94-97)
if (!$fileRealpath || !in_array($fileRealpath, get_included_files())) {
    require_once 'Zend/Reflection/Exception.php';
    throw new Zend_Reflection_Exception(
        'File ' . $file . ' must be required before it can be reflected');
}

I only use this technique on code that I trust but I'd like to wrap it all up in a script for others to use. My concern is that any included files may introduce unsafe code into the current scope. For example, I wouldn't want to include the following: 

<?php
// evil.php
shell_exec('rm -rf /');

My first thought was to use safe_mode but this is depreciated (and not as safe as the name would suggest it seems).

The next idea would be to use a custom php.ini file and the disable_functions directive but (beyond the candidates listed in the safe_mode documentation) I couldn't be sure that I'd caught all the necessary functions.

Finally I'm wondering if there's any way of making PHP run in a sandbox (of sorts) -- I'd like to capture the Reflection information without any global code that was included being executed at all.

Any and all thoughts appreciated. TIA.

+2  A: 

You shouldn't be including, or eval-ing, user supplied code.

Edit:

Trying to filter out "safe" code is beyond the scope of Zend_Reflection. That is not the intended usage, and is not supported by the framework. If you wish to do some voodoo token parsing on your input, feel free, but that isn't Zend_Reflection.

Edit 2:

If you really want to do this, please look at token_get_all, token_get_name, and the list of parser tokens.

If you look at the Zend_Reflection_File::_reflect method, you can get an idea of what you could do:

<?php
$tokens = token_get_all(file_get_contents('file.php'));
foreach ($tokens as $token) {
    if (is_array($token)) {
        $type = $token[0];
        $value = $token[1];
        $line = $token[2];
    }
    switch ($type) {
        case T_FUNCTION:
            if ($value == 'shell_exec') {
                throw Exception("WTF");
            }
        // etc.
    }
}
hobodave  2010-01-18 19:39:18
Sorry, I guess I wasn't clear ... I'm only running this script on code I know is safe. IF I'm going to release a packaged version of it though I want to make sure I've done all I can to protect others who might use it.
Carlton Gibson  2010-01-18 19:42:14
@Carlton:Still his point stands - you dont include the file so its interpreted by PHP. you use the REflection class which gets the file contents and essentially parses the tokens so it can inspect whats in the file in terms of php code. The code in the file is never executed unless you specifically execute it via an invoke method.
prodigitalson  2010-01-18 19:48:44
Alas, trying to use Zend_Reflection_File on a non-included file raises an exception: v.1.9.7 ln 96: throw new Zend_Reflection_Exception('File ' . $file . ' must be required before it can be reflected');(You're right though, it does set the $_contents member via `file_get_contents()`)
Carlton Gibson  2010-01-18 19:53:45
@hobodave I appreciate the worry - that's why I'm asking here ;-) - but a) I'm just following the examples in the documentation in regards to instantiating my Zend_Reflection instances, and b) one of the points of Reflection is to generate documentation, which ctags are just a kind of. I'd really like a solution here, because the ctags themselves are pretty useful... :-)
Carlton Gibson  2010-01-18 20:26:23
@hobodave. Thanks for the edit. (Again) I'm definitely not including or eval-ing any code I don't trust. My concern is to protect other users if I release my method into the wild. Your answer seems to be that (short of a whole load of work) I can't... (Upvote for now, but I'll leave it open for a while in hope.:-)
Carlton Gibson  2010-01-19 08:58:21

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases