views:

47

answers:

2

In a project I'm currently working for, we're considering putting system() into php.ini's disable_functions declaration. Now, one meta-module of ours which would ultimately also fall victim to this restriction is syntax-checking files with system("php -l"); calls - prompting me to hunt for alternatives.

Turns out there used to be a php_check_syntax(), but not only did that not restrict itself to merely checking syntax and went on to include the file if it was syntactically valid, but it's been removed as of PHP 5.0.5. The manual suggests php -l in its place, but given that I'm sure disabling system call functions in PHP is a fairly common practise, I'm wondering if there is an accepted, 'better' way of syntax checking PHP files from within PHP files.

(I'm not hell-bent on this, by the way; a 'no' perfectly suffices (and I expect it, really). We can excempt the module from this restriction - but I'm asking this question both out of curiosity as well as in hope of a more graceful solution.)

+2  A: 

I found an alternative using PECL runkit_lint_file().

It does the same check as php_check_syntax().

I think it's worth a look.

ITroubs
Ooh! Absolutely. That looks precisely like what I was looking for. I wonder if we have PECL runkit here -- off to investigate! Out of curiosity, do you know of any security advisories about this function (though they'd be anecdotal for me, the files being checked are trusted)?
pinkgothic
as far as i can read it from the manual it should be safe because it just trys to parse the php file and then returns if the parsing was successfull. it shouldn't do any execution so i THINK it is safe ;-)
ITroubs
Well, there have historically been security advisories for functions like `highlight_file()`, too, because you could get around the 'just parsing' that they were supposed to do with the right payload - hence the question. But, as I said, anecdotal - I'm not worried either way in my case, just a curious cookie.
pinkgothic
ahh i get your point. well i don't have any experience using runkit so i can't tell anything about buffer overrun security problems. it was just a fast search i did
ITroubs
Thank goodness other people's google-fu is better than mine! :) Thanks, ITroubs. (We don't have PECL runkit, but that can be remedied, so I'm accepting your answer. Thank you!)
pinkgothic
after almost 10 years of googleing it becomes more effective to search something on google then to ask it in stackoverflow except when the answer is not given yet and therefore not in google
ITroubs
A: 

See our PHP Formatter. This command-line tool takes a well-formed PHP file and formats it nicely.

Not only does it format, it also syntax checks, and returns command line status telling you whether the file was "well-formed"; it contains a full PHP 5 parser. Because it is a command line tool it would be easy to launch from a PHP script if that's what you need to do, and by checking the returned status you would know if the file was legal.

Ira Baxter
"This command-line tool" -- I'm trying to go away from the command line, though - the idea is to forbid anything in PHP that calls it, after all (`system`/`passthru`/etc). Thanks nonetheless, though. :)
pinkgothic