[PHP] Problem with wrapper script for Tidy
Hello.
Since my ISP does not provide the tidy module for Apache, I tested
writing a wrapper script for a locally installed tidy binary. In
general, the script is triggered by a modification to the .htaccess
file like so:
AddHandler server-parsed .php
Action server-parsed /tidy_wrapper.php5
All php pages are by that means "treated" by the script
tidy_wrapper.php5.
Here is the code for tidy_wrapper.php5:
// Including a line with the commend "" will turn
off tidy conversion
if ( !stristr ( $output, "" ) ) {
$localfile = tempnam ( '../tmp', "tmp" );
$handle = fopen($localfile, "w");
fwrite($handle, $output);
fclose($handle);
$command = '/Library/WebServer/CGI-Executables/tidy -iq --show-
errors 0 --show-warnings 0 -wrap 100 ' . $localfile . ' 2>&1';
exec ( $command, $output_exec );
echo implode ( "\n", $output_exec );
unlink ( $localfile );
} else {
echo $output;
}
exit;
?>
Although the script is actually working fine, there is at least one
downside: speed. As you can see, the output buffer must be written to
a file in order to be processed by tidy. I was not able to get tidy
to accept a string for processing. Doing so, tidy throws en error. I
have looked through tidy documentation without finding any clues. I
would appreciate any hints. Any ideas for a walk-around for that file
saving-thing would be welcome!
Otherwise, I strongly feel that this script might become/be a
security hole. Because it does not validate the included PHP code, it
could be misused for doing bad stuff, or am I wrong? Once more, any
suggestions are welcome.
regards,
/frank
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with wrapper script for Tidy
Did you try to use "-" as the file and pipe the output?...
That might work...
As far as the Tidy not validating the included PHP, I'm not sure what
you mean, but I don't see this making the PHP code any less secure
than it was before you wrapped Tidy around it...
On Fri, August 4, 2006 6:21 am, Frank Arensmeier wrote:
> Hello.
>
> Since my ISP does not provide the tidy module for Apache, I tested
> writing a wrapper script for a locally installed tidy binary. In
> general, the script is triggered by a modification to the .htaccess
> file like so:
>
> AddHandler server-parsed .php
> Action server-parsed /tidy_wrapper.php5
>
> All php pages are by that means "treated" by the script
> tidy_wrapper.php5.
>
> Here is the code for tidy_wrapper.php5:
>
>
> chdir ( dirname ( $_SERVER['PATH_TRANSLATED'] ) );
> ob_start();
> include ( $_SERVER['PATH_TRANSLATED'] );
> $output = ob_get_contents();
> ob_end_clean();
>
> // Including a line with the commend "" will turn
> off tidy conversion
>
> if ( !stristr ( $output, "" ) ) {
> $localfile = tempnam ( '../tmp', "tmp" );
> $handle = fopen($localfile, "w");
> fwrite($handle, $output);
> fclose($handle);
>
> $command = '/Library/WebServer/CGI-Executables/tidy -iq --show-
> errors 0 --show-warnings 0 -wrap 100 ' . $localfile . ' 2>&1';
>
> exec ( $command, $output_exec );
> echo implode ( "\n", $output_exec );
> unlink ( $localfile );
> } else {
> echo $output;
> }
> exit;
> ?>
>
> Although the script is actually working fine, there is at least one
> downside: speed. As you can see, the output buffer must be written to
> a file in order to be processed by tidy. I was not able to get tidy
> to accept a string for processing. Doing so, tidy throws en error. I
> have looked through tidy documentation without finding any clues. I
> would appreciate any hints. Any ideas for a walk-around for that file
> saving-thing would be welcome!
>
> Otherwise, I strongly feel that this script might become/be a
> security hole. Because it does not validate the included PHP code, it
> could be misused for doing bad stuff, or am I wrong? Once more, any
> suggestions are welcome.
>
> regards,
> /frank
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with wrapper script for Tidy
Thank you Richard. I will test that (piping the output). Regarding my
concerns about "rubbing security" by not validating the included
code, I actually meant that the script does not validate where the
included PHP script is coming from. Could someone set the
environmental variable $_SERVER('PATH_TRANSLATED') from outside, so
to say? Or is there no reason to be worried?
/frank
4 aug 2006 kl. 22.22 skrev Richard Lynch:
Did you try to use "-" as the file and pipe the output?...
That might work...
As far as the Tidy not validating the included PHP, I'm not sure what
you mean, but I don't see this making the PHP code any less secure
than it was before you wrapped Tidy around it...
On Fri, August 4, 2006 6:21 am, Frank Arensmeier wrote:
Hello.
Since my ISP does not provide the tidy module for Apache, I tested
writing a wrapper script for a locally installed tidy binary. In
general, the script is triggered by a modification to the .htaccess
file like so:
AddHandler server-parsed .php
Action server-parsed /tidy_wrapper.php5
All php pages are by that means "treated" by the script
tidy_wrapper.php5.
Here is the code for tidy_wrapper.php5:
" will turn
off tidy conversion
if ( !stristr ( $output, "" ) ) {
$localfile = tempnam ( '../tmp', "tmp" );
$handle = fopen($localfile, "w");
fwrite($handle, $output);
fclose($handle);
$command = '/Library/WebServer/CGI-Executables/tidy -iq --show-
errors 0 --show-warnings 0 -wrap 100 ' . $localfile . ' 2>&1';
exec ( $command, $output_exec );
echo implode ( "\n", $output_exec );
unlink ( $localfile );
} else {
echo $output;
}
exit;
?>
Although the script is actually working fine, there is at least one
downside: speed. As you can see, the output buffer must be written to
a file in order to be processed by tidy. I was not able to get tidy
to accept a string for processing. Doing so, tidy throws en error. I
have looked through tidy documentation without finding any clues. I
would appreciate any hints. Any ideas for a walk-around for that file
saving-thing would be welcome!
Otherwise, I strongly feel that this script might become/be a
security hole. Because it does not validate the included PHP code, it
could be misused for doing bad stuff, or am I wrong? Once more, any
suggestions are welcome.
regards,
/frank
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Like Music?
http://l-i-e.com/artists.htm
--
Frank Arensmeier
Marketing Support & Webmaster
NIKE Hydraulics AB
Box 1107
631 80 Eskilstuna
Sweden
phone +46 - (0)16 16 82 34
fax +46 - (0)16 13 93 16
[EMAIL PROTECTED]
www.nikehydraulics.se
