php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #54066 Add possibility to reflect on a file not loaded in memory
Submitted: 2011-02-21 21:32 UTC Modified: 2018-05-05 18:34 UTC
From: mathieu at xlsoft dot ca Assigned:
Status: Wont fix Package: Reflection related
PHP Version: 5.3.5 OS: Any
Private report: No CVE-ID: None
 [2011-02-21 21:32 UTC] mathieu at xlsoft dot ca
Description:
------------
I'd like to see a ReflectionFile class added to the Reflection api that would allow you to reflect on the content of a file instead of a loaded information.

The reason for this can be varied but in my current case is to reflect the class and code information inside of a file to display to a user. I'm building a web IDE that will display the class information of a file in a web project. I don't want to load that file because it could be a security issue and launch code that i don't want to launch.

Other uses for this is to validate that a file contains a specific class or reflect on the classes in the file to find if the classes do implement an interface or a specific class without having to load the code into execution space.

Finaly, if a file contains non encapsulated code that  could be executed when including the file, the ReflectionFile class could be used to detect that and you could refuse using the class file. For example, a whiz tries to place a statement hidden between two class definitions that could compromise your application, then you could detect it with:

if($myReflectedFile->hasExecutableStatements()){
//Refuse usage of this file
}else{
include($myReflectedFile->filename);
}

The number of implications for this class are large, they allow many other options such as documentation extraction from a code file. Many of us are aware that if bytecode caching is active on a server you won't be able to detect document comments, reading it from the file instead from the memory could allow many more comment extraction to be possible.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-05-05 18:34 UTC] requinix@php.net
-Status: Open +Status: Wont fix
 [2018-05-05 18:34 UTC] requinix@php.net
Old request is old.

To my knowledge this is non-trivial and would require significant work to implement for a small number of use cases. Consider also that Reflection allows for many actions that depend upon the code having been loaded successfully, such as instantiating classes, traversing class hierarchies, and calling methods. There are userland PHP code parsing libraries out there, even using PHP's own tokenization functionality, which could be built upon to perform the sorts of validation suggested in this report.

As such, anyone interested in this feature should talk to the internals mailing list. https://wiki.php.net/rfc/howto
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 12:01:30 2024 UTC