Jump to content

Automatically Include files based on name in a directory


Go to solution Solved by Jacques1,

Recommended Posts

I'm trying to make things as simple as possible for a friend. The idea is a CMS system where to install new features they simply have to upload the new files and voila. So far i've managed fine, but there's 1 part I need a little help with. Layout is as follows

 

Main Directory

./includes

...various things here...

./modules

....where the new features will get uploaded to

 

Now lets say there are admin parts to each module, each will consist of a prefix of admin_ in the name (ie, admin_blog.php) where the actual module itself will be blog.php

 

The admin part of the site has it's administrative navigation on the left hand side. How would I go about searching through all files in the modules directory for those beginning with admin_ and then saving the part after to say an array?

 

For example, if i have blog.php, admin_blog.php, forum.php, admin_forum.php I would look through the directory, and put forum.php and blog.php in an array where I can use the information later.

 

Thanks in advance

This is a rather messy approach. On top of that, you'll quickly end up with a local file inclusion vulnerability if you dump anything that starts with “admin_” into your application with no checks whatsoever.

 

A much better solution would be to store the modules as folders. Each folder may contain a meta file containing information about the module itself (a user-friendly name, a short description, a version etc.). The modules should then be explicitly activated.

This is a rather messy approach. On top of that, you'll quickly end up with a local file inclusion vulnerability if you dump anything that starts with “admin_” into your application with no checks whatsoever.

 

A much better solution would be to store the modules as folders. Each folder may contain a meta file containing information about the module itself (a user-friendly name, a short description, a version etc.). The modules should then be explicitly activated.

Wouldn't local file inclusion vulnerability only exist if the user is inserting filenames in the url?  The way I've been doing it, the files are checking if a file exists before deciding what to do.

 

Going your way, I would need as follows?

./modules/module_name/mod_info.php

./modules/module_name/module.php

./modules/module_name/admin_module.php

 

And then save the enabled modules in a database after they are activated in the admin cp?

Wouldn't local file inclusion vulnerability only exist if the user is inserting filenames in the url?

 

My point is that any user or service with write access to the modules folder can inject code into the core application, which is an unncessary risk. The modules should be explicitly approved before anything gets loaded.

 

 

 

Going your way, I would need as follows?

./modules/module_name/mod_info.php

./modules/module_name/module.php

./modules/module_name/admin_module.php

 

The info file should not be an executable script, otherwise you run into the exact same security issues. Use a data format like JSON, XML or whatever.

 

 

 

And then save the enabled modules in a database after they are activated in the admin cp?

 

Correct.

Okay so trying this out and my brain feels like it's been pickled atm.

 

I have a file test_mod.mod in the folder modules/test_mod/

 

This file contains:

 

name=test_mod
description=A test module to be installed
version=1.1.0.1
author=RMorrison

Update

Managed to parse the file with this code:

$file = './modules/test_mod/test_mod.mod'; $contents = explode("<br />", str_replace("\n","",nl2br(file_get_contents($file))));$some_array = array(); foreach ($contents as $line){    $a = explode('=', $line);    $some_array[$a[0]] = $a[1];}

 
This does what I need it to do for getting the information, but is this the best most efficient way to do it?
  • Solution

Like I said above: Use a standard format like JSON or XML. PHP already has parsers for those.

 

For example:

 

config.json

{
    "name": "some_name",
    "description": "some description",
    "version": "1.0",
    "author": "RMorrison"
}

Parsing:

<?php

$config_content = file_get_contents('/path/to/config.json');
$config = json_decode($config_content, true);

// echo the version number for testing
echo $config['version'];
Edited by Jacques1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.