I am writing a php script to handle input from Apache mod_rewrite. Essentially, mod_rewrite supplies a key to stdin which php does its thing with and then returns the output on stdout. Foreseeing the need to time how long php will wait for a key to be supplied i decided to fork the process into a timed child process (code below). Speaking to someone on IRC, they suggested this was a potnetial security hole. I would like to understand this further if anyone has comments. What should I proctect against? Is forking the process really neccessary? Thanks. btw: the code is still being developed).
#!/usr/bin/php -q
<?
//ben at gelbnet dot com
//25-Sep-2002 03:53
//php.net/fopen
class CLI
{
//GLOBALS
var $return_char = "\n";
var $timeout;
var $pid;
var $cpid = 0;
//Make sure program execution doesn't time out
//set_time_limit(0);
function CLI($timeout = 5)
{
$this->timeout = $timeout;
$this->pid = getmypid();
}
function _setTimeout()
{
set_time_limit(0);
$this->cpid = pcntl_fork();
if ($this->cpid == 0) {
sleep($this->timeout);
posix_kill($this->pid, SIGTERM);
exit;
}
}
function _clearTimeout()
{
posix_kill($this->cpid, SIGTERM);
}
// read_data()
// gets a line of data from STDIN and returns it
function stdin()
{
$in = fopen("php://stdin", "r");
if (is_object($this)) $this->_setTimeout();
$in_string = fgets($in, 255);
if (is_object($this)) $this->_clearTimeout();
fclose($in);
return $in_string;
}
// write_data($outstring)
// writes data to STDOUT
function stdout($outstring)
{
$out = fopen("php://stdout", "w");
fwrite($out, $outstring);
fclose($out);
}
}
$t = new CLI();
echo $t->stdin();
?>
