Spaces in filenames [message #173701] |
Fri, 29 April 2011 23:00 |
Tim Streater
Messages: 328 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
When my app starts up, it discovers where it has been installed using:
$instdir = dirname (__FILE__);
Now, I have no control over where this might be in the file system, and
the user may well put it somewhere such that the path contains spaces.
I'm passing this round the app, and in the fullness of time may be doing
things like:
$fp = fopen ($instdir . "/wiggy", "r");
Does it matter to PHP filesystem functions if the filename contains
spaces?
But what's worse, I'll also be passing $instdir to shell scripts via
exec ().
Seems to me I can:
1) search/replace $instdir to escape spaces with backslash-space. But
does this mess up PHP filesystem functions?
2) leave $instdir as-is, but use escapeshellarg on it whenever I need to
pass it through exec().
Which is the better approach?
--
Tim
"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
|
|
|
Re: Spaces in filenames [message #173702 is a reply to message #173701] |
Sat, 30 April 2011 01:26 |
Robert Heller
Messages: 60 Registered: December 2010
Karma: 0
|
Member |
|
|
At Sat, 30 Apr 2011 00:00:50 +0100 Tim Streater <timstreater(at)waitrose(dot)com> wrote:
>
> When my app starts up, it discovers where it has been installed using:
>
> $instdir = dirname (__FILE__);
>
> Now, I have no control over where this might be in the file system, and
> the user may well put it somewhere such that the path contains spaces.
> I'm passing this round the app, and in the fullness of time may be doing
> things like:
>
> $fp = fopen ($instdir . "/wiggy", "r");
>
> Does it matter to PHP filesystem functions if the filename contains
> spaces?
>
> But what's worse, I'll also be passing $instdir to shell scripts via
> exec ().
>
> Seems to me I can:
>
> 1) search/replace $instdir to escape spaces with backslash-space. But
> does this mess up PHP filesystem functions?
Most likely.
>
> 2) leave $instdir as-is, but use escapeshellarg on it whenever I need to
> pass it through exec().
This is the approach.
OTOH, you really should not be using exec() at all -- it is a security
risk.
Note furthur: it is more likely that your PHP code will be installed on
a UNIX (Linux) system (eg a LAMP box) and Linux sysadmins (and many
users) tend to avoid spaces in file pathnames, esp. on servers. You may
be chasing a problem that is not going to be an issue.
>
> Which is the better approach?
>
--
Robert Heller -- 978-544-6933 / heller(at)deepsoft(dot)com
Deepwoods Software -- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
|
|
|
Re: Spaces in filenames [message #173703 is a reply to message #173701] |
Sat, 30 April 2011 06:57 |
Eli the Bearded
Messages: 22 Registered: April 2011
Karma: 0
|
Junior Member |
|
|
In comp.lang.php, Tim Streater <timstreater(at)waitrose(dot)com> wrote:
> When my app starts up, it discovers where it has been installed using:
>
> $instdir = dirname (__FILE__);
>
> Now, I have no control over where this might be in the file system, and
> the user may well put it somewhere such that the path contains spaces.
> I'm passing this round the app, and in the fullness of time may be doing
> things like:
>
> $fp = fopen ($instdir . "/wiggy", "r");
Why? Just chdir() and use relative filenames. You'll save yourself
a boatload of headache.
$instdir = dirname (__FILE__);
chdir($instdir);
$fp = fopen ("./wiggy", "r");
> But what's worse, I'll also be passing $instdir to shell scripts via
> exec ().
Most people just do a half-assed job because who would ever:
# mkdir "rm -rf *;" && cd "rm -rf *;" && tar xzf /tmp/INSTALLPACKAGE.tgz
(For one thing, the "./configure && make" will typically faily
horribly.)
But if you aren't willing to cope with that, you can make things
a damn-sight easier by simply not caring where you are installed.
If you can treat it like it is your own chroot() environment and
never need to know the actual name of the install directory, you
won't care what craziness someone tries.
> 2) leave $instdir as-is, but use escapeshellarg on it whenever I need to
> pass it through exec().
Wait, you know how to escape shell characters and you are thinking
about not doing it?
> Which is the better approach?
It's a cruel world out there. Try to be prepared.
> "That excessive bail ought not to be required, nor excessive fines imposed,
> nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
Don't forget the directories with control characters in them that
hide how messed up they are to the naked eye. I love those.
mkdir "<!--;rm -rf *;-->^H..17x^H..longnstalldirname" && cd \<*name && pwd
Elijah
------
protip: type each of the the ^Hs as <ctrl-V><ctrl-H>
|
|
|
Re: Spaces in filenames [message #173704 is a reply to message #173703] |
Sat, 30 April 2011 11:33 |
Tim Streater
Messages: 328 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
In article <eli$1104300232(at)qz(dot)little-neck(dot)ny(dot)us>,
Eli the Bearded <*@eli.users.panix.com> wrote:
> In comp.lang.php, Tim Streater <timstreater(at)waitrose(dot)com> wrote:
>> When my app starts up, it discovers where it has been installed using:
>>
>> $instdir = dirname (__FILE__);
>>
>> Now, I have no control over where this might be in the file system, and
>> the user may well put it somewhere such that the path contains spaces.
>> I'm passing this round the app, and in the fullness of time may be doing
>> things like:
>>
>> $fp = fopen ($instdir . "/wiggy", "r");
>
> Why? Just chdir() and use relative filenames. You'll save yourself
> a boatload of headache.
>
> $instdir = dirname (__FILE__);
> chdir($instdir);
> $fp = fopen ("./wiggy", "r");
:-)
I didn't bother to explain how my app is structured but I see I need to.
There are in fact 47 separate PHP scripts which are run by apache for
the user. Indeed, they run on the user's machine, not on a remote host,
along with an instance of apache also run under the user's id, and some
23 html pages which request the running of the PHP scripts. Note that
I'm not using port 80 for this and the apache instance only accepts
requests from localhost.
So I could chdir, but why bother. It would just be an extra, avoidable,
bunch of PHP statements.
--
Tim
"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
|
|
|
Re: Spaces in filenames [message #173705 is a reply to message #173702] |
Sat, 30 April 2011 11:57 |
Tim Streater
Messages: 328 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
In article <6N2dnXd-OYug-CbQnZ2dnUVZ_jydnZ2d(at)posted(dot)localnet>,
Robert Heller <heller(at)deepsoft(dot)com> wrote:
> At Sat, 30 Apr 2011 00:00:50 +0100 Tim Streater <timstreater(at)waitrose(dot)com>
> wrote:
>
>>
>> When my app starts up, it discovers where it has been installed using:
>>
>> $instdir = dirname (__FILE__);
>>
>> Now, I have no control over where this might be in the file system, and
>> the user may well put it somewhere such that the path contains spaces.
>> I'm passing this round the app, and in the fullness of time may be doing
>> things like:
>>
>> $fp = fopen ($instdir . "/wiggy", "r");
>>
>> Does it matter to PHP filesystem functions if the filename contains
>> spaces?
>>
>> But what's worse, I'll also be passing $instdir to shell scripts via
>> exec ().
>>
>> Seems to me I can:
>>
>> 1) search/replace $instdir to escape spaces with backslash-space. But
>> does this mess up PHP filesystem functions?
>
> Most likely.
Hmmm, I haven't in fact tested using a spacey path or a backslash-spacey
path, but it wouldn't necessarily help anyway, since I don't know how
fopen etc work internally and it could be that it might work with fopen
but not fclose (say).
>> 2) leave $instdir as-is, but use escapeshellarg on it whenever I need to
>> pass it through exec().
>
> This is the approach.
It's certainly what I'd prefer, but I'd still like to convince myself
that PHP filesystem functions are OK by design with spacey paths.
> OTOH, you really should not be using exec() at all -- it is a security
> risk.
In all cases the PHP scripts are being run under the user's id on their
own machine. I'm using it to start/stop an instance of apache, to run
newsyslog, open [1], and Safari [2].
> Note furthur: it is more likely that your PHP code will be installed on
> a UNIX (Linux) system (eg a LAMP box) and Linux sysadmins (and many
> users) tend to avoid spaces in file pathnames, esp. on servers. You may
> be chasing a problem that is not going to be an issue.
:-)
See my other reply post on the structure of the app. The user decides
where *everything* goes, since everything is running on their own
machine (which acts as server as well as client). As for running it
under linux, it could probably be done since its unix. I'm developing
under OS X as that is what I have (I have no access to a linux box).
[1] Under OS X you can do:
open filename
on the command line and filename opens for the user with whatever is the
default app for that type of file. Typically, filename is going to be a
user file.
[2] Having it start a Safari instance happens to be how it's coded, but
everything tests OK with other browsers.
--
Tim
"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
|
|
|
Re: Spaces in filenames [message #173706 is a reply to message #173701] |
Sat, 30 April 2011 12:49 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/29/2011 7:00 PM, Tim Streater wrote:
> When my app starts up, it discovers where it has been installed using:
>
> $instdir = dirname (__FILE__);
>
> Now, I have no control over where this might be in the file system, and
> the user may well put it somewhere such that the path contains spaces.
> I'm passing this round the app, and in the fullness of time may be doing
> things like:
>
> $fp = fopen ($instdir . "/wiggy", "r");
>
> Does it matter to PHP filesystem functions if the filename contains spaces?
>
> But what's worse, I'll also be passing $instdir to shell scripts via
> exec ().
>
> Seems to me I can:
>
> 1) search/replace $instdir to escape spaces with backslash-space. But
> does this mess up PHP filesystem functions?
>
> 2) leave $instdir as-is, but use escapeshellarg on it whenever I need to
> pass it through exec().
>
> Which is the better approach?
>
Why don't you just try it?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|