Re: [PHP] Question regarding include() and symlinks to directories
Vincent DUPONT wrote: > hello, > if I can still contribute to this topic, I suggest you never use simlinks. > We experienced very bad maintenance problems at a customer : when copying new > files through FTP, the simlinks were often erased or overwriten. > And this occured on every upgrade of the scripts. > > This would not occur with a simple and stable include_path setting. Moreover, > one can set the include_path dircetly from PHP, allowing for example 2 > applications to define their own include_path. > > Finaly, simlinks are not available on win32 platforms. not completely true - windows does have something they like to call hardlinks - which pretty much do the same thing: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fsutil_hardlink.mspx?mfr=true that said I also would recommend using a well thought out include_path strategy over a solution that uses symlinks, given the choice. of course Karl is living a deployed, production system and he probably does not have the luxury of *just* switching over. > > So, the include_path should be more stable (considering FTP) and more > flexible than simlinks. > > > > Vincent Dupont > Ausy Belgium > > > > -Original Message- > From: Richard Lynch [mailto:[EMAIL PROTECTED] > Sent: Sat 1/6/2007 0:17 > To: Karl Pflästerer > Cc: php-general@lists.php.net > Subject: Re: [PHP] Question regarding include() and symlinks to directories > > On Thu, January 4, 2007 2:47 pm, Karl Pflästerer wrote: >> In my opinion include() should respect symlinks to directories and not >> dereference them before finding the file to include. Or am I wrong >> here? >> The PHP version is 5.1.6 (will soon be updated). > > WHOOPS! > > My fingers slipped and I keyboarded to "Send" button. > > SORRY! > > ... and use full pathname when you go to read a file. > > Anything else is more like playing an Adventure Game than Programming. > > I can see arguments both ways for when to work out the symlink, so > you'd have to take this up with Internals to get a change made... > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question regarding include() and symlinks to directories
# [EMAIL PROTECTED] / 2007-01-08 08:13:11 +0100: > From: Richard Lynch [mailto:[EMAIL PROTECTED] > > Sent: Sat 1/6/2007 0:17 > > To: Karl Pflästerer > > Cc: php-general@lists.php.net > > Subject: Re: [PHP] Question regarding include() and symlinks to directories > > > > On Thu, January 4, 2007 2:47 pm, Karl Pflästerer wrote: > > > In my opinion include() should respect symlinks to directories and not > > > dereference them before finding the file to include. Or am I wrong > > > here? > > > The PHP version is 5.1.6 (will soon be updated). > > > > Anything else is more like playing an Adventure Game than Programming. > > > > I can see arguments both ways for when to work out the symlink, so > > you'd have to take this up with Internals to get a change made... > > if I can still contribute to this topic, I suggest you never use simlinks. > We experienced very bad maintenance problems at a customer : when > copying new files through FTP, the simlinks were often erased or > overwriten. And this occured on every upgrade of the scripts. Shouldn't that have been: "never use broken FTP clients"? NB, I hope I got the quoting right, but if someone got misattributed, please blame the original quoting. -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question regarding include() and symlinks to directories
hello, if I can still contribute to this topic, I suggest you never use simlinks. We experienced very bad maintenance problems at a customer : when copying new files through FTP, the simlinks were often erased or overwriten. And this occured on every upgrade of the scripts. This would not occur with a simple and stable include_path setting. Moreover, one can set the include_path dircetly from PHP, allowing for example 2 applications to define their own include_path. Finaly, simlinks are not available on win32 platforms. So, the include_path should be more stable (considering FTP) and more flexible than simlinks. Vincent Dupont Ausy Belgium -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Sat 1/6/2007 0:17 To: Karl Pflästerer Cc: php-general@lists.php.net Subject: Re: [PHP] Question regarding include() and symlinks to directories On Thu, January 4, 2007 2:47 pm, Karl Pflästerer wrote: > In my opinion include() should respect symlinks to directories and not > dereference them before finding the file to include. Or am I wrong > here? > The PHP version is 5.1.6 (will soon be updated). WHOOPS! My fingers slipped and I keyboarded to "Send" button. SORRY! ... and use full pathname when you go to read a file. Anything else is more like playing an Adventure Game than Programming. I can see arguments both ways for when to work out the symlink, so you'd have to take this up with Internals to get a change made... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question regarding include() and symlinks to directories
On Thu, January 4, 2007 2:47 pm, Karl Pflästerer wrote: > In my opinion include() should respect symlinks to directories and not > dereference them before finding the file to include. Or am I wrong > here? > The PHP version is 5.1.6 (will soon be updated). WHOOPS! My fingers slipped and I keyboarded to "Send" button. SORRY! ... and use full pathname when you go to read a file. Anything else is more like playing an Adventure Game than Programming. I can see arguments both ways for when to work out the symlink, so you'd have to take this up with Internals to get a change made... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question regarding include() and symlinks to directories
On Thu, January 4, 2007 2:47 pm, Karl Pflästerer wrote: > In my opinion include() should respect symlinks to directories and not > dereference them before finding the file to include. Or am I wrong > here? > The PHP version is 5.1.6 (will soon be updated). Honestly... My answer would be "Don't do that." Use include_path so that you never need to use ".." in your includes, and use full pathnames when you go to read -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question regarding include() and symlinks to directories
Robert Cummings wrote: > On Fri, 2007-01-05 at 22:07 +0100, Jochem Maas wrote: ... >>> ` >>> >>> In my opinion include() should respect symlinks to directories and not >>> dereference them before finding the file to include. Or am I wrong here? >> I have tested using your exact description and get the result, you can >> be fairly certain this is not something specific to your server/machine. >> >> I would tend to agree with your premise - but the php devs may have >> decided against this behaviour on purpose. > > PHP needs to dereference symlinks so it knows exactly where it is in > case of security violations. This prevents symlinking into paths for > which you don't have access... especially important on shared hosts. (what's a shared host? ;-) that explains why - open_base_dir (right?) - but it sounds shoddy, surely php should just be dereferencing within the confines of the security violation check. (and crap out if the check fails) but if the check succeeds the symlink referencing should honoured for the remainder of play? (or maybe that would be a nightmare to implement or just plain slow at runtime?) I realise open_base_dir fills a need left by the lack of ability to run as a webserver module in the context of a specific user on a per client basis - but really this kind of stuff needs to be done at the system level - in a perfect world php would not have to go near any security checks of this ilk. another thing is that I don't have open_base_dir set to anything - there is no restriction defined so there is can be no violation in the context of php's security check - so why do the check at all (and therefore why deference the symlink) and then there is the issue of the fact that I was testing this with the CLI, no freaking webserver in sight, and therefore running purely within the context of the user I was logged in as not the webserver's user. I realise I may be thinking rather simplistically about this so I welcome any insight :-) then again if I've raised some points which *might* be valid then maybe there is still a case for asking a php-dev's opinion? > > Cheers, > Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question regarding include() and symlinks to directories
On Fri, 2007-01-05 at 22:07 +0100, Jochem Maas wrote:
> reply at the bottom ...
>
> (Karl Pflästerer) wrote:
> > Hi
> > let's say we have the follwing directory structure:
> > directory test, with to subdirectories: a and b; both have ssi
> > subdirectory; a has also a subdirectory c with an index.php file in it
> > and in b we habe a symbolic link to a/c.
> >
> > On the shell it looks like this:
> > ,
> > | /htdocs/test>ls -gG *
> > | a:
> > | total 8
> > | drwxr-xr-x 2 4096 Jan 4 20:55 c
> > | drwxr-xr-x 2 4096 Jan 4 20:51 ssi
> > |
> > | b:
> > | total 4
> > | lrwxrwxrwx 16 Jan 4 20:53 c -> ../a/c
> > | drwxr-xr-x 2 4096 Jan 4 20:53 ssi
> > | ~/htdocs/test>cat a/ssi/a.inc
> > | In directory a
> > |
> > | ~/htdocs/test>cat b/ssi/a.inc
> > | In directory b
> > `
> >
> > As you see whe have an a.inc in each ssi. If we call now the index.php
> > which does nothing more than to:
> > include('../ssi/a.inc')
> > what would you expect to read if you called b/c/index.php? I expected to
> > read 'In directory b' but I read 'In directory a'.
> >
> > ,
> > | ~/htdocs/test>(cd a/c && php -f index.php )
> > | In directory a
> > |
> > |
> > | ~/htdocs/test>(cd b/c && php -f index.php )
> > | In directory a
> > `
> >
> > In my opinion include() should respect symlinks to directories and not
> > dereference them before finding the file to include. Or am I wrong here?
>
> I have tested using your exact description and get the result, you can
> be fairly certain this is not something specific to your server/machine.
>
> I would tend to agree with your premise - but the php devs may have
> decided against this behaviour on purpose.
PHP needs to dereference symlinks so it knows exactly where it is in
case of security violations. This prevents symlinking into paths for
which you don't have access... especially important on shared hosts.
Cheers,
Rob.
--
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question regarding include() and symlinks to directories
reply at the bottom ...
(Karl Pflästerer) wrote:
> Hi
> let's say we have the follwing directory structure:
> directory test, with to subdirectories: a and b; both have ssi
> subdirectory; a has also a subdirectory c with an index.php file in it
> and in b we habe a symbolic link to a/c.
>
> On the shell it looks like this:
> ,
> | /htdocs/test>ls -gG *
> | a:
> | total 8
> | drwxr-xr-x 2 4096 Jan 4 20:55 c
> | drwxr-xr-x 2 4096 Jan 4 20:51 ssi
> |
> | b:
> | total 4
> | lrwxrwxrwx 16 Jan 4 20:53 c -> ../a/c
> | drwxr-xr-x 2 4096 Jan 4 20:53 ssi
> | ~/htdocs/test>cat a/ssi/a.inc
> | In directory a
> |
> | ~/htdocs/test>cat b/ssi/a.inc
> | In directory b
> `
>
> As you see whe have an a.inc in each ssi. If we call now the index.php
> which does nothing more than to:
> include('../ssi/a.inc')
> what would you expect to read if you called b/c/index.php? I expected to
> read 'In directory b' but I read 'In directory a'.
>
> ,
> | ~/htdocs/test>(cd a/c && php -f index.php )
> | In directory a
> |
> |
> | ~/htdocs/test>(cd b/c && php -f index.php )
> | In directory a
> `
>
> In my opinion include() should respect symlinks to directories and not
> dereference them before finding the file to include. Or am I wrong here?
I have tested using your exact description and get the result, you can
be fairly certain this is not something specific to your server/machine.
I would tend to agree with your premise - but the php devs may have
decided against this behaviour on purpose.
although I must also say it's a rather convoluted setup, then again you may
have a very good/neat reason for wanting to setup a directory akin to
your example.
because I was curious I tried the following, namely creating a subdir 'd'
in each of dirs 'a' and 'b' and creating the index.php in 'a/d/' a then
symlinking
'a/d/index.php' to 'b/d/index.php' and then running the same tests using the 'd'
subdirs and guess what the correct [according to your expectation/opinion]
'ssi/a/inc' file was included
I would suggest maybe asking the [EMAIL PROTECTED] mailing list
as to whether they consider this a bug - and then file a bug report
if asked.
I might suggest also adding the following 2 lines to your test
index.php - which might provide a little more insight:
echo "the current working directory is ",getcwd(),"\n";
echo "I am the index file, my name is ",__FILE__,"\n";
additionally I changed the contents of your 'a.inc' files to the following:
The PHP version is 5.1.6 (will soon be updated).
>
>
>KP
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
