I want to be able to discover if a Debian package has been installed on our production server, the functionality should be just like extension_loaded().
Can anyone suggest a method? I can only assume I should use exec() and parse return value for 'command not found', I'd like to know if there's a safer / better option though.
If you have permission to exec, then you could use one of the following:
whereis packagename
apt-cache policy packagename
You could write a simple API for this. It should do something like the following;
Let php write the wanted packages to a xml file, text file, or database, anything you can read with a shell app, perl app, or whatever.
On the server level, read out the file, database, check if the package exists and return the value in an output file, database table or whatever.
read out the output file with php and show it to your user
The drawback of the above proposed solution is that it takes some time, eg. you cannot check for the availability of the package in realtime. If that is actually mandatory, you could write a php script which does not take any input, but reads out the packages that should be checked from a database or a text file, where the values have been extensively tested, eg. using a regex. On this way you're sure a malicious user cannot inject shell commands.
Related
I got a problem with an API (PHP) I created. The API should create a pdf document depending on the data that is sent. The script works perfectly, running it directly on Ubuntu, Plesk is running on.
The part that is not working is the following:
$cmd = sprintf("pdflatex -interaction nonstopmode %s", escapeshellarg(file));
exec($cmd, $foo, $ret);
The tex-file seems not to be touched... no log files or anything.
Any ideas about this?
Thank you
Latex is usually run by experienced users either raw on the command line or via IDE with console interaction, since there is often the need to see from console feedback why a compilation may fail.
The Simplest check for checking is PdfLaTex installed? is at the system console to enter pdflatex --version this should confirm at least a minimal pdflatex has been found in the environment path and show the variant after a rough value for the level of pi.
So in this case responded pdfTeX 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian)
When trying to run unseen it is not easy to get feed back so the smallest test with a small known sample is again at the console to run in a current working directory with batch mode :-
pdflatex -interaction=nonstopmode sample.tex
This should run with little need for checks, however if the paths to pdflatex are not configured you may need to add the location of the pdflatex executable. Thus you discovered needed /usr/bin/pdflatex -interaction=nonstopmode file.tex
There are many different dependencies in LaTeX packages and modules that require the "env" settings be well defined in terms of inter-related paths (e.g. to support files etc.) so it is worth checking those out from the extensive documentation.
Some modules may require elevation to escape shell restrictions via -shell-escape and the above command may need temporary elevation for one run (it should not be needed constantly) so only include when you know exactly from documentation why a module requires it.
It is tempting for TeX novices to think there is an advatage to use sub folder in a working directory for "chapter and verse", since the working directory may "look" cluttered by potentially dozens of runtime files, however much of LaTeX depends on very specific relative pathing and the best way to avoid errors is not need to keep redefining images or other components by variables, simply say it is in the same folder.
Likewise for the packages they should also be set to a fixed location by means of env variables i.e. for bin folder and fonts and other modular supporting components. It is worth reviewing https://tug.org/texlive/quickinstall.html and note the section about minimal path definition but there is much more than that basic setting required by post installed components
I'm trying to write a website in PHP that allows the user to enter PHP code, and then be able to run it on my server. However, I want to be able to disable certain features (file access, database access, etc.). Basically, I want the code to run without any risk to my server, and if the code does attempt to do something dangerous, I just want the code to stop running (I don't mind if it just stops, produces an error, or carries on while ignoring the dangerous code).
Is this possible, and if so, how could I achieve this?
Thanks :)
It is possible using libraries that do some simple checking or limiting.
Take a look at a PECL (PHP Extensions) extension called RunKit_Sandbox http://php.net/manual/en/runkit.sandbox.php or PHPSandbox.
The key to look for on Google is PHP Sandbox, it will find you similar libraries.
vi php.ini
and then find disable_functions,
disable the functions as you want! like this :
disable_functions = exec,passthru,popen,proc_open,shell_exec,system,phpinfo,assert,chroot,getcwd,scandir,delete,rmdir,rename,chgrp,chmod,chown,copy,mkdir,file,file_get_contents,fputs,fwrite,dir
I actually developed a package specifically for these kinds of use cases. It can be fully configured and even used to override dangerous functions and globals.
https://github.com/fieryprophet/php-sandbox
I am trying to display the images in the pdf document that I uploaded to the server as hyperlinks in php so that if user clicks on them they will get the corresponding document.
Please help me ,Thanks in advance!
Use pdfimages, which comes with the open-source xpdf software package (for *nix operating systems). You'll have to call it through exec or the like, then work with the output from PHP. I am not aware of any PHP library that provides this functionality, so you're going to have to experiment.
EDIT
You mentioned that you aren't experienced with PHP... I thought I'd add that this isn't a quick-and-easy type of task, you certainly aren't going to find a bunch of tutorials around the internet for this.
To get started, you'll have to install the xpdf package on your server. There's a lot of different ways to do this depending on which OS you've got.
After that is set up, you'll be using a command line to execute a program on your server; you'll want to capture the output of that command in PHP and work with it further. So initially, you'll want to work out exactly what your command line will look like as well as what the output looks like and means - do this from command line, don't worry about the PHP part yet. In this case, your output is going to be a list of the image files extracted from a given PDF, you're command line call will look something like "pdfimages mypdf.pdf". Play around, find out what happens.
After you work out exactly what command line you need to send and what the command does, you can focus on the PHP angle. In a nutt shell, you want PHP to execute the exact command that you've already worked out. Look at the manual for exec for information on how to call a command line and get the output back. Write your script to make the correct call and show the call's output.
Next, move on to doing something with that output. I presume you'll want to somehow store the extracted images in a web-accessible place, put them in the database, show them to the user, etc. That is the very last stage after you've worked out the initial steps.
Good luck!
The self-extracting executable that I'm attempting to develop is an installer. An end-user will visit a site, then they will be prompted to register on the site and a download will be provided to them. That download is the self-extracting executable that will install the software on the end-user's computer along with a config file that will have the user's unique id in it. The software is a Windows Service so it will not be able to simply ask the user their username and password.
To be able to insert the registered user's unique id into the installer, I would have to generate the installer on the fly. After researching and using my own experience, I decided that a self-extracting executable would be the best option. The question I have now is how can I generate one using PHP? After researching this problem, I found that the most common solution was to install a executable that could create self-extracting executables on the server machine and then invoke it from PHP. However, executing a executable is not possible with my web host, so this is not a viable solution.
However, executing a executable is not possible with my web host, so this is not a viable solution.
I think in that case, you will need to switch to a web host that lets you do this (or rent a dedicated or virtual server). You can create ZIP files from within PHP when the necessary libraries are installed, but that is about it. Producing Self-extracting executables is not on the menu.
If that is not an option, you would have to find a way to pre-produce the self-extracting executable and inject the user ID into it afterwards. That is surely possible, but I expect you would have to build a custom self-extractor for this.
A self-extracting archive is just an extractor with archive data appended. The extractor program opens itself, finds the offset of the data and extracts. There might be a trailer record to help find the offset.
You can append files easily in PHP: both an archive with your program and the user data. But you need to write a custom extractor that will be aware of this format.
I'm not sure this is possible.. The most you could do is use PHP to dynamically grab the files required surely?
Anyway, perhaps your application could access the internet to grab the files it needs periodically?
Or, you could reference an external PHP file in your program like /data.php?userid=1222&token=9999 which should be fairly secure.
I'm trying to make a web app that will manage my Mercurial repositories for me.
I want it so that when I tell it to load repository X:
Connect to a MySQL server and make sure X exists.
Check if the user is allowed to access the repository.
If above is true, get the location of X from a mysql server.
Run a hgweb cgi script (python) containing the path of the repository.
Here is the problem, I want to: take the hgweb script, modify it, and run it.
But I do not want to: take the hgweb script, modify it, write it to a file and redirect there.
I am using Apache to run the httpd process.
Ryan Ballantyne has the right answer posted (I upvoted it). The backtick operator is the way to execute a shell script.
The simplest solution is probably to modify the hgweb script so that it doesn't "contain" the path to the repository, per se. Instead, pass it as a command-line argument. This means you don't have to worry about modifying and writing the hgweb script anywhere. All you'd have to do is:
//do stuff to get location of repository from MySQL into variable $x
//run shell script
$res = `python hgweb.py $x`;
You can run shell scripts from within PHP. There are various ways to do it, and complications with some hosts not providing the proper permissions, all of which are well-documented on php.net. That said, the simplest way is to simply enclose your command in backticks. So, to unzip a file, I could say:
`unzip /path/to/file`
SO, if your python script is such that it can be run from a command-line environment (or you could modify it so to run), this would seem to be the preferred method.
As far as you question, no, you're not likely to get php to execute a modified script without writing it somewhere, whether that's a file on the disk, a virtual file mapped to ram, or something similar.
It sounds like you might be trying to pound a railroad spike with a twig. If you're to the point where you're filtering access based on user permissions stored in MySQL, have you looked at existing HG solutions to make sure there isn't something more applicable than hgweb? It's really built for doing exactly one thing well, and this is a fair bit beyond it's normal realm.
I might suggest looking into apache's native authentication as a more convenient method for controlling access to repositories, then just serve the repo without modifying the script.