I’ve been working on an application that will allow for third-party extensions to be built to expand the application’s functionality. All this in PHP, of course. I wanted to add a bit of security padding by running files in a certain directory through a checksum function. If the file doesn’t pass the checksum, the file isn’t “included”, the administrator for that installation is notified, and the module is disabled until the administrator acts (re-enables and records the exception, or reinstalls the module).
The problem I’m having right now is being able to run that checksum whenever a user runs the include() function. I’d rather not have them run two functions back to back just to include a file, but if I have to I will. Not all third-party extensions will be very willing to run two functions (something like if(checksum_function($bleh)) include($bleh); ), and even if they were, it’d be so much easier (and more secure) to run the checksum whenever include() is executed, instead of doubling the line count for include() statements.
I’ve done some searching around and haven’t found much. Ideas? Thanks in advance!
If your includes are classes named after a certain system (e.g.
MyPlugin_Text) you could make use of PHP’s autoloading. Autoloading can be used to automatically include a file when an object of a class is first created.Extremely simplified example:
Obviously, you will want to extend the autoloader, e.g. to do the preloading only for classes starting with
MyPlugin_and load those from a specific folder.I know of no other way to achieve what you want to do, except writing a custom wrapper function.
I like your idea in general. However, calculating a checksum – e.g. using
crc32()– is relatively expensive. There shouldn’t be too many, and not too big, includes loaded this way. Also, it stands to reason that if an attacker is able to modify PHP files on your system, they are also able to execute them directly without needing your central application. The actual security gain of this exercise is likely to be small.