Comments (23)
comment by: burnbright
created at: 2011-05-30
This is how I have modified my own code:
public static function is_cli() {
return (defined('STDIN') || php_sapi_name() == "cli");
}
from silverstripe-framework.
comment by: @chillu (ischommer)
created at: 2011-05-30
is_cli() is a quite security sensitive method, as its determined to allow certain things which are prevented in "non-CLI mode" - so we have to be very conservative with adding any checks here. Could you find some documentation about how the STDIN constant is used, and perhaps examples on how other PHP frameworks detect CLI?
from silverstripe-framework.
comment by: @chillu (ischommer)
created at: 2011-10-18
Unsetting milestone
from silverstripe-framework.
@chillu I'm having this problem too.
These docs imply that cli mode sets this constant: http://php.net/manual/en/features.commandline.io-streams.php
Though I suppose it wouldn't be impossible to spoof that though...
Couldn't we set some kind of variable if commands are run through sake? So that is just taken for granted that we are CLI?
from silverstripe-framework.
I guess we could, but would still prefer some built in checks. Same question: This isn't specific to SilverStripe, can somebody please dig up some best practices from other frameworks?
from silverstripe-framework.
Funnily enough, I've just spent 10 mins trawling through Symfony's code to find out how they do it and I can't seem to find any real checks (for security purposes) on how they do it.
They reference the constant PHP_SAPI
twice in the entire source and it's not used for any security type things, just for debugging levels and similar.
This is the only thing I can find saying how to do it http://www.php.net/manual/en/features.commandline.php#103553
from silverstripe-framework.
Don't think we should change this.
from silverstripe-framework.
Hi All . Please go through my blog post related the same issue and i hope , you guys will get the fix.
http://lakinmohapatra.blogspot.in/2016/08/solve-if-php-file-being-executed-by.html
from silverstripe-framework.
Could we declare a constant in cli-script.php that would ensure any subsequent checks for "is_cli" to true? Maybe just after the PHP_SAPI check?
from silverstripe-framework.
in cli-script.php
if(PHP_SAPI != "cli" && PHP_SAPI != "cgi" && PHP_SAPI != "cgi-fcgi") {
echo "cli-script.php can't be run from a web request, you have to run it on the command-line.";
die();
}
define('SS_ENVIRONMENT_CLI', true);
In Director.php
public static function is_cli() {
return defined('SS_ENVIRONMENT_CLI') || php_sapi_name() == "cli";
}
What do you think @lakinmohapatra
from silverstripe-framework.
:S If our CLI script has this check, why isn't the same one used by Director
? We could add the constant, but those are pseudo "environment vars" and being on the CLI is not a property of the environment... so it feels nasty.
from silverstripe-framework.
@tractorcow @dhensby @silverstripe-issues , For resolving this issue , we dont need to change core files because basically cron jobs should be run by cli . It's an php environment setup issue for cron user. nothing else.
To fix this, we need to find the exact path to the correct php binary by typing this:
"which php"
This should give you a path like /usr/bin/php. You can go one step further and check if this is actually a "symbolic link" pointing to a different filename or not:
ls -l $(which php)
Output will be like /usr/bin/php -> /usr/bin/php5-cli / may be some other binary
Then add this full path to the PHP executable and use that in your crontab entry, so it looks something like this:
- * * * */usr/bin/php5-cli /home/path/to/artisan schedule:run 1>> /dev/null 2>&1
I hope , it will solve your issue without hacking core files.
from silverstripe-framework.
changing core files is not "hacking" if we're fixing a bug... we are maintaining the core files here.
I don't have a problem with cron module identifying itself as running not on the CLI - what OS / PHP versions do you have installed?
from silverstripe-framework.
@dhensby , it will be good if you will write common function for identifying cli jobs.
But i was telling from user prospective.
Possible solutions :
if (array_key_exists('REQUEST_METHOD', $_SERVER)) die();
if (php_sapi_name() === 'cli' OR defined('STDIN')) return true;
But make sure , your cli defending system is covering all scenarios.
from silverstripe-framework.
@lakinmohapatra ah, ok. @tractorcow was suggesting a fix that could be used in core, rather than suggesting you amend core files in your project (which of course would be bad).
from silverstripe-framework.
@dhensby , Thanks for understanding my points.
Please review again his codes and see if it's working for all sapi names being mentioned in php.net
from silverstripe-framework.
One more point -
There are lots of advantages of using php-cli instead of other sapi names.
It has unlimited execution time .
It does not write headers to output.
The CLI SAPI does not change the current directory to the directory of the executed script!
When using the CGI version, the output is:
$ pwd
/tmp
$ php -q another_directory/test.php
/tmp/another_directory
This clearly shows that PHP changes its current directory to the one of the executed script.
Using the CLI SAPI yields:
$ pwd
/tmp
$ php -f another_directory/test.php
/tmp
This allows greater flexibility when writing shell tools in PHP.
So i think , it has lots of advantages over other sapi names.
So better to stick with cli check only.
@dhensby please let me know your feedback on it.
http://www.softpanorama.org/Scripting/Phprama/command_line_php.shtml
from silverstripe-framework.
:S If our CLI script has this check, why isn't the same one used by Director? We could add the constant, but those are pseudo "environment vars" and being on the CLI is not a property of the environment... so it feels nasty.
Because it doesn't check if the environment IS cli, it checks if the environment is definitely NOT cli.
cgi-fcgi
is still ambiguous.
from silverstripe-framework.
Yeah this is a wonfix, I think. I don't think it's worth introducing security risks to cater to an odd configuration.
from silverstripe-framework.
We could potentially introduce the if(defined('SS_ENVIRONMENT_FORCE_CLI'))
check but leave it up to project developers to create a script where that is defined. They can ensure that the script that defines it is outside of the webroot or similar.
cli-script.php
will end up getting exposed to some webservers by a hapless installer and I don't want to see a highway-like security bypass created in those situations.
from silverstripe-framework.
It sounds like we can do better at detecting cli, but @sminnee raises a good point about just assuming cli script is run by cli
from silverstripe-framework.
Agreed, #wontfix :)
from silverstripe-framework.
I've run into this problem myself and the resolution is to run the cron using php-cli
instead of php
binary...
Seems like a fairly simple fix and perhaps something sake
should be looking for?
from silverstripe-framework.
Related Issues (20)
- [Bug] TinyMCEConfig breaks when using option `extended_valid_elements` on a custom Config. HOT 25
- Correctly check if values from `ini_get()` are true-like or not HOT 1
- Cache is not correctly shared between CLI and non-CLI HOT 2
- Create new `Environment::getAsBoolean()` method HOT 9
- Add support for paratest HOT 2
- proper return types HOT 4
- Trailing slash also added to external redirects HOT 7
- MoneyField: Move field generation from constructor to custom method HOT 1
- mariadb builds broken HOT 2
- encryptWithUserSettings assumes there is a salt HOT 1
- Form scaffolder should keep original field order HOT 2
- NumericField doesn't valid properly numbers > 1000 with locale fr-Fr HOT 3
- type mismatch HOT 1
- Orphan polymorphic relations get assigned to random DataObject class HOT 3
- Run CanonicalURLMiddleware in dev / test. HOT 2
- Add Nice() to DBField HOT 10
- BUG Eager loading with multiple objects pointing to the same has_one trigger extra db fetch HOT 1
- TimeField should deal better with partial times HOT 1
- Improve phpdoc types HOT 2
- GridField breadcrumbs may use incorrect casting for titles
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from silverstripe-framework.