Posted by Julien Biezemans on 05/19/06 07:56

Hi!

Here is the problem: I'd like to restrict local filesystem stream
operations to one directory just like a root jail.

fopen('/file.bin') would actually open /some/path/file.bin.

One goal of this behavior is to prevent Xinclude instructions to point
to "out of application directory" files when processed by the XSLT
processor, among other things.

I've been reading all I can about streams and wrappers and came to the
conclusion that one have no possibility of rewriting a stream wrapper
for the file:// scheme. Even if we can unregister the built-in wrapper
and register a custom one, we have no way to do the actual on-disk
stream operations within that wrapper.

My idea was to:

1. register a custom scheme that would use the built-in wrapper used to
handle the file:// wrapper. That could even be something dynamic to
prevent 3rd-party XML documents to use that unrestricted scheme. let's
say we give it a static name and call it "file.full://".

2. write a wrapper rejecting operations on files outside of the allowed
jailed directory. that wrapper would use the file.full:// scheme to
actually write/read data, after having mapped jailed paths to real
filesystem paths.

Here is an example:

1. An XML document needs "/dir/file.xml" to be xinclude'd by the XSLT
processor.

2. The custom file:// wrapper receives the request and maps
"/dir/file.xml" to "/var/www/data-jail/dir/file.xml". It then uses the
file.full:// scheme to pass the request to the real wrapper. This means
that what I wanted was a situation where "file:///dir/file.xml" is
equivalent to "file.full:///var/www/data-jail/dir/file.xml".

As already said, file.full could be dynamic to prevent the XML document
from using the unrestricted wrapper.

Ideally, PHP would provide the classes that handle the built-in schemes.
Imagine that 'BuiltInFileWrapper' is the class that handle file://
streams by default:

<?php
stream_wrapper_unregister('file');
stream_wrapper_register('file', 'CustomRestrictedFileWrapper');
stream_wrapper_register('file.full', 'BuiltInFileWrapper');
?>

In this example my CustomRestrictedFileWrapper class may still actually
handle the read/write operations through the file.full scheme.



Is there any solution to simulate this? How can I get that behavior?

Another less important question is: is it possible to register another
default scheme than file://?

Thank you very much for your help,

Julien.

[Back to original message]