[PHP] Bad impact of memory_limit set to -1 ?
Hi all, I fighting with SoapServer to be able to upload large file base64 encoded. Every so often I get memory exhausted error messages and memory_get_usage() tells me that my script starts with more than 250MB allocated (for a soap request of 85MB!). I'm wondering if I would let memory_limit unbound (-1) to avoid those issues but I don't know what would be the consequences (esp. on apaches processes, total allocated memory, etc). Any advice ? Thanks, Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Byte range support
On Tue, Jul 15, 2008 at 3:53 PM, Manuel Vacelet [EMAIL PROTECTED] wrote: Hello all, How can I make my php apps aware of byte range HTTP request ? I have a script that output data to user if she's granted to do so. But as of today, if download fails, she must restart the download from the beginning because my server (my php script) doesn't support range byte requests (actually, this is what curl and wget claims!) FYI, I found what I was looking for in PEAR HTTP Download package: http://pear.php.net/package/HTTP_Download -- Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Byte range support
Hello all, How can I make my php apps aware of byte range HTTP request ? I have a script that output data to user if she's granted to do so. But as of today, if download fails, she must restart the download from the beginning because my server (my php script) doesn't support range byte requests (actually, this is what curl and wget claims!) -- Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_POST Array and Cleaning
On Jan 21, 2008 3:22 AM, nihilism machine [EMAIL PROTECTED] wrote: I'm trying to create a function that will first take an array of $_POSTs and give them key/value pairs like variables. For instance, if i had $_POST['whatever'] = whatever, that would be made into $whatever = whatever, then i can clean for sql injection and xss. any ideas here? Consider usage of a 3rd party lib like Inspekt: http://code.google.com/p/inspekt/ -- Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Filter Input: Inspekt
Hi all, Does anyone already heard about inspekt library ? http://code.google.com/p/inspekt/ Quote from the web site: Inspekt acts as a sort of 'firewall' API between user input and the rest of the application. It takes PHP superglobal arrays, encapsulates their data in an cage object, and destroys the original superglobal. Data can then be retrieved from the input data object using a variety of accessor methods that apply filtering, or the data can be checked against validation methods. Raw data can only be accessed via a 'getRaw()' method, forcing the developer to show clear intent. It seems very interesting unfortunately I didn't see any discussion channel attached to this project and the project seems rather young. So it's hard to tell if this is an active project we can rely on for a long term usage. Maybe some of you already use it ? -- Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file_exists, is_readable effective UID/GID
On 10/24/07, Jim Lucas [EMAIL PROTECTED] wrote:
Daniel Brown wrote:
On 10/24/07, Manuel Vacelet [EMAIL PROTECTED] wrote:
Hi all,
file_exists and is_readable perfom there test with real UID/GID.
Is there any functions that tests file existance with effective UID/GID ?
Note: stat is not an option because it raises an E_WARNING if the file
is not readable.
Thanks,
Manuel
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
That's what you have things like ? ini_set(display_errors, off); ?
what about doing it like this?
?php
$filename = __FILE__;
$stat_info = @stat($filename);
if ( $stat_info ) {
// do something...
}
The '@' will suppress the E_WARNING notice
if stat fails the condition will fail.
I much prefer the second solution (Jim's one) even if I find that php
limitation amazing !
Thank you for your help.
Cheers,
Manuel
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] file_exists, is_readable effective UID/GID
Hi all, file_exists and is_readable perfom there test with real UID/GID. Is there any functions that tests file existance with effective UID/GID ? Note: stat is not an option because it raises an E_WARNING if the file is not readable. Thanks, Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Filter input
Hi all, I repeat the mantra 'filter input, escape output' every day before writing any line of code. About filter input I use to develop my own filter but I don't like this solution as it's error prone (my regexp may be wrong, I don't like to re-invent the wheel that much, ...). I'd like to know if there is a library that could help me. I identified: - PEAR Validate: * seems nice * but no activity since ~1year and still beta. - PEAR HTML_QuickForm: * validation is a part of its job. * not very usable if you only want to validate input (need to declare each element before, access to invalid element not easy). - PHP Filter: * Require php 5.2 * As it's embedded in the php core, if there is a security hole we need to wait for a new php version to fix the bug. Is there any other library I need to investigate ? What are you using for your own developments ? -- Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Filter input
On 10/11/07, Jim Lucas [EMAIL PROTECTED] wrote:
What are you wanting to validate?
Do you want a package/class/function set that when called will validate
different types of input?
Email, string, int, etc...
Basically yes.
I want to validate:
- type: (string, int, float, ..)
- characteristics (length, allowed characters, ...)
- nature (email, ISBN, ...)
I also want this lib. to let me define my own rules.
For instance, I'm dealing with parameters that looks like 'field_33',
'field_1', 'label', 'title'
I want to be able to tells:
validate stuff that match:
- (field_[0-9]+ or [a-z]+)
and maybe in some cases
- (field_[0-9]+ or label or title)
The thing that remains not very clear to me is where validation stop
and where application logic start.
Example:
A given 'item' (value = 7) have 3 'fields':
- field_33
- field_5
- label
When it comes to validate the fields value of the item '7'
should I validate 'field' against
- ('field_33', 'field_5', 'label')
- I validate the data are well formed AND coherent.
or
-('field_[0-9]+', [a-z]+)
- I only care about the form and I let the application part deal
with coherency later.
I don't know if I'm clear enough!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Out source files
2007/3/21, Richard Lynch [EMAIL PROTECTED]: On Tue, March 20, 2007 4:37 am, Manuel Vacelet wrote: 2007/3/20, Richard Lynch [EMAIL PROTECTED]: One common pattern in PHP is to not put the file in the web tree at all, and write a PHP script with 'readfile' (or fopen/fread/echo loop for larger files). You can then control access to the file, and log any kind of stats you need about accessing the file. Yes I already do that with all my scripts that are dealing with files. Once you have that, then you can also put the files on some other server, and use URL fopen to read them, if you like. Is it considered as secure ? as secure as what? I don't think you've established a baseline for comparison... It's a typo I wanted to write (more simple though) 'Is it secure ?' In several PHP security recommendation we can read Do not let PHP open URLs through fopen, . I think it's mostly related to crapy php applications that could be let users do what they want but is there any other problems with this practice ? Assuming you control the other server, you can make it as secure as you like... The server is fully under my control and I can order other servers if I can highlight that's a better approach to ensure the security of the data we serve. That server can also reject any requests that aren't from your web server IP (or list of IPs for a web-server farm). It's an approach but if my front-end is under the control of a cracker it will be unfortunately useless. You could set it up with SSL and use curl instead of url fopen -- You'd probably not want to waste $$$ on a CA, so you'd need the CURLOPT stuff to not check the peer stuff. I don't imagine using SSL without trusted CA. How secure is secure enough? Depends what your data and application are, more than any external factor. I cannot speak about the kind of data I have to protect on a public ML but data are confidential and I have to propose something to guaranty a vulnerability of the application doesn't expose all the data to the cracker. I'd also consider curl before FTP, personally, as it is more flexible if you decide later to use something other than the FTP protocol. You are right. It depends more on what you are trying to secure, and why, than it does on any sort of general principle, really... And just personal preference on how to do this sort of thing... And your performance needs are a big factor, sometimes. Security is the major point (before performances). It's not that simple... Would you be happy with a web server that requires a human to review each HTTP request and sign off a form in triplicate before the HTTP response went out? :) that's an idea. I maybe should add in the requirement that the service should be usable :) Note: I don't mandate the service to be easy to use though. I fully accept constraints to access to the data if it's worth it. The mains goal is to be still protected if their is an element under attack on the application server, for instance a vulnerability in apache (or even php according to the March month ;). What data are you protecting? See above. It's not just the picture of my last week-end (I don't even host images ;) ! I want to be protected against: - cracker uploads a file and use a vulnerability to execute it on the server (I can avoid it with a partition mounted without exec rights or with another server that hosts the files). Sure. Or you could just put them outside the webtree and not write stupid PHP code that lets them get executed. An attacker can use a vulnerability of either apache or php to gain apache user rights and make files executable and even run it (or run it with another vulnerability in another application required on the server). And you could check the upload files for validity, to insure that they meet certain criteria of non-executable files in the first place. Unfortunately, I cannot restrict the file type I accept. I would say that one of the goal of the application is to delivery binaries (executable). - cracker uses a vulnerability and obtains the same rights than the web server (due to mod_php) she will be able to access to all the files (at least in read mode) because the user who runs apache have to be able to read them. Is this on a shared server? No it's not. We are talking about a dedicated box in a DMZ with all the network security devices tailored. Is your PHP binary reading script dumb enough to allow them to access the files they shouldn't be accessing? I don't think so (code was audited) but I cannot guaranty there is no bugs in my application. There are probably other things I don't imagine but I think the usage of another server to host data is a good approach. I think it's a great approach, if the data being secured warrants it and the web application is well-written. I think it's a waste of time if the data being secured is not worth securing or the PHP script is so badly-written
Re: [PHP] Out source files
2007/3/20, Richard Lynch [EMAIL PROTECTED]: One common pattern in PHP is to not put the file in the web tree at all, and write a PHP script with 'readfile' (or fopen/fread/echo loop for larger files). You can then control access to the file, and log any kind of stats you need about accessing the file. Yes I already do that with all my scripts that are dealing with files. Once you have that, then you can also put the files on some other server, and use URL fopen to read them, if you like. Is it considered as secure ? I've done that for one site where a webhost a like has limited hard drive space, and have made it appear as if a Terabyte of music is available on a 500 meg site. Or you could use PHP ftp functions to shuffle them around. I much like this approach because we don't rely on another apache server. We can assume that if a cracker found a security hole on the front-end, it will be more easy to use the same exploit on the second server. I had a quick look on the ftp functions of php and there is an interesting usage proposed in comments: http://www.php.net/manual/en/function.ftp-get.php#72603 Coupled with ssl ftp, this could be a good solution. Any comments, pros, cons, ... ? It depends more on what you are trying to secure, and why, than it does on any sort of general principle, really... And just personal preference on how to do this sort of thing... And your performance needs are a big factor, sometimes. Security is the major point (before performances). The mains goal is to be still protected if their is an element under attack on the application server, for instance a vulnerability in apache (or even php according to the March month ;). I want to be protected against: - cracker uploads a file and use a vulnerability to execute it on the server (I can avoid it with a partition mounted without exec rights or with another server that hosts the files). - cracker uses a vulnerability and obtains the same rights than the web server (due to mod_php) she will be able to access to all the files (at least in read mode) because the user who runs apache have to be able to read them. There are probably other things I don't imagine but I think the usage of another server to host data is a good approach. Regards, Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Out source files
Hi all, I would like to know if there is some common patterns to out source the files served by a LAMP stack. Technicaly speaking I would like to store my files (application data) on another machine than the one that runs my PHP app. (as I already do with MySql). The best would be to use a secure connexion between my app. server and the storage one (communication can be tunneled in SSH though). Thanks, Regards, Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Out source files
2007/3/19, Richard Lynch [EMAIL PROTECTED]: On Mon, March 19, 2007 12:46 pm, Manuel Vacelet wrote: I would like to know if there is some common patterns to out source the files served by a LAMP stack. Technicaly speaking I would like to store my files (application data) on another machine than the one that runs my PHP app. (as I already do with MySql). The best would be to use a secure connexion between my app. server and the storage one (communication can be tunneled in SSH though). For a media rich site, it's super common to move the images (or other large-size files) off to a different server, with the hard drives and OS tuned for large files. (Or for small files, if they are, say, email bodies or somesuch.) This works especially well for content that is acquired by the visitor through a separate HTTP request anyway. What sort of application data are you looking at, though?... Ooops, forgot to precise my request ;) I don't want the user to perform a direct connexion to another server. It's not a matter of performances but security. It's often recommended in some security guidelines to not store application data on the same server than the one that runs the application (for instance to avoid a apache or php failure expose your files directly to anyone, or to let user execute a file she uploaded thanks to another hole in another software). This is already possible with any DB to have a second server and to connect to this server through an SSL tunnel. I would like to have the same approach for all the files not in the DB. Note: obviously, there are security concerns in my request and there are access rights on the files. I hope this clarify my needs. -- Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] umask is not being restored when each request is finished.
Hi all, I copied/pasted the title of the following bug: http://bugs.php.net/bug.php?id=36630 It seems already fixed in CVS for 5.1.x branch of PHP. Actually, I'm running php4 (4.3.2 shiped by RHEL3) and I'm facing the same bug. And I'm not alone, you can look at http://bugs.php.net/28401. Unfortunatly, this bug was closed with Wont fix status :/ Can someone tell me if this fix will be backported to 4.3.x or at least 4.4.x branche or if it is already fixed in one of them (changelog seems dumb on this subject) ? Thanks, Best Regards, Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mime-type handling
2005/12/9, Curt Zirzow [EMAIL PROTECTED]: On Thu, Dec 08, 2005 at 12:31:52PM +0100, Manuel Vacelet wrote: Hi all, I'm facing a bad behaviour of 'file' command used by fileinfo PECL module (recommanded for mime-type checking): * Some Microsoft Excel documents are detected as Microsoft Word documents * Some HTML files are just text/plain * ... I tested on multiple machines (with different version of file) and I sometimes obtain a diffrent behaviour but never the one expected :/ I also looked for the latest version of file but it seems that the file used to detect the mime-type is out of date... I'm not familiar to how fileinfo detects the contents, is the file it is using a file like: /usr/share/misc/magic Yes and some other path. ... * Where can I find an up-to-date version of magic number list usable with file for mime type checking ? If the above is true, a updated version should be availble for the OS you are using. Unfortunatly, my OS do not provide an up-to-date magic file. But I have found an efficient solution via freedesktop shared mime project: http://www.freedesktop.org/wiki/Standards_2fshared_2dmime_2dinfo_2dspec They provide an up-to-date database of magic numbers: http://freedesktop.org/Software/shared-mime-info And there is an PHP implementation of querying tool: http://www.freedesktop.org/wiki/Standards_2fshared_2dmime_2dinfo_2dspec#head-978bef7f41fbdc4b40c2deacb294a386c82aae4d I tested it and it works very well. All my test case was successfully passed. Even identifying contents of the file is not as reliable as one would think; it can also be spoofed. For example with jpeg, there are several tools out there that will take a file, wrap a jpeg image around the file and embed the real contents inside of the file, and if your app just detects the magic contents, it will pass the test. The only way to ensure a file is what it really is to open and resave it with a trusted application. Using the jpeg example you would need to do something like: djpeg $file | cjpeg testfile.jpg Well, with jpeg, the files will always be differnt but a fuzzy match based on filesize closeness and/or similar bit distribution. Well your comment is very intresting, I keep it in mind. But for my current usage, I think the on server mime-type detection as described above will secure enough. Thanks for all, Manuel
[PHP] Mime-type handling
Hi all, I'm facing a bad behaviour of 'file' command used by fileinfo PECL module (recommanded for mime-type checking): * Some Microsoft Excel documents are detected as Microsoft Word documents * Some HTML files are just text/plain * ... I tested on multiple machines (with different version of file) and I sometimes obtain a diffrent behaviour but never the one expected :/ I also looked for the latest version of file but it seems that the file used to detect the mime-type is out of date... My questions are: * If you already encounter this problem, how did you solve it ? * Where can I find an up-to-date version of magic number list usable with file for mime type checking ? Thanks, Regards, Manuel
