Bulletproof __autoloader

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

scottayy wrote:
astions wrote:Are included files "evaled" or "executed" by the PHP engine?
Absolutely.
That isn't what I meant. What I mean is, if an included file doesn't have execute permissions, can (or will) php still execute it?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

I *think* it depends on webserver installation, and type of installation. If your are using CGI-BIN install then it will need execute permission, but if it's module then you might be ok without it.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Jenk wrote:I *think* it depends on webserver installation, and type of installation. If your are using CGI-BIN install then it will need execute permission, but if it's module then you might be ok without it.
I decided to test it. I chmod'ed an important include as 0444 (read only), and it didn't cause any problems. :?

Not sure if that is a good thing security wise or not, but never the less it worked fine. Don't know about CGI-BIN install though..
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

the reason behind my previous post is when using CGI-BIN, the file itself is what is executed, where as in a module installation, the server is executing and 'copies' the content from the requested file.

At least, that is what I was thinking.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

http://www.php.net/manual/en/install.windows.apache2.php wrote:Installing as a CGI binary
[...]
Action application/x-httpd-php "/php/php.exe"
It's still the php executable that is ...executed ;)
The script is only read by the php parser.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

http://www.php.net/manual/en/security.cgi-bin.default.php wrote:Case 1: only public files served

If your server does not have any content that is not restricted by password or ip based access control, there is no need for these configuration options. If your web server does not allow you to do redirects, or the server does not have a way to communicate to the PHP binary that the request is a safely redirected request, you can specify the option --enable-force-cgi-redirect to the configure script. You still have to make sure your PHP scripts do not rely on one or another way of calling the script, neither by directly http://my.host/cgi-bin/php/dir/script.php nor by redirection http://my.host/dir/script.php.

Redirection can be configured in Apache by using AddHandler and Action directives (see below).
It's the permissions of the files requested that dictate the action, not the permissions of the php.exe.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I think we need to differentiate between executable by the OS and executable by PHP. PHP scripts are not executable by the OS and the term executable is not normally used for them. I believe "run" is usually used for PHP scripts. The PHP program itself must be executable by the OS to be execute. The execute permissions need to be set for the current user for PHP to be able to be executed.

PHP scripts only need to be readable by PHP to be run.
(#10850)
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Yes, and with CGI-BIN installs that is on a per customer basis, where as with the module, it's one user for all.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

arborint wrote:I think we need to differentiate between executable by the OS and executable by PHP. PHP scripts are not executable by the OS and the term executable is not normally used for them.
You can have scripts with #!/bin/php as first line and invoke them "directly" from the shell. Then the execute flag is needed (at least with bash it is).
But that's ot, since __autoload implies that php is already running and therefore only read permissions are needed for additional script files.
Post Reply