Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sandboxing Users' PHP Code

I want to limit what PHP functionality my users have access to.

For instance there is an object $data and the user likes to use if for and echo.

Obviously allowing him to write PHP would be a serious vulnerability.

Is there any way to run this PHP in a sandbox or would you recommend any lightweight PHP template engine?

like image 972
jantimon Avatar asked Jul 23 '10 07:07

jantimon


6 Answers

If you don't have your own server you probably don't have runkit. But what you do have (probably) is Tokenizer! Using the Tokenizer you may look through the given source code and abort if you find an invalid token. Here an example how to validate an array using this. You could do same for your purpose. The PHP documentation has a list of tokens. If you need help deciding which tokens to allow or to disallow, please say so.

€dit: And obviously I do recommend to use Twig, too. It is so nice - and has sandboxing!

like image 98
NikiC Avatar answered Oct 11 '22 14:10

NikiC


The only one I know so far is runkit.

The runkit extension provides means to modify constants, user-defined functions, and user-defined classes. It also provides for custom superglobal variables and embeddable sub-interpreters via sandboxing.

Update:

I could find these two links regarding zend and runkit you should take a look at:

http://framework.zend.com/wiki/display/ZFPROP/Zend_Http_Server+-+Mat+Scales
http://www.dunfy.me.uk/?p=38

like image 43
Sarfraz Avatar answered Oct 11 '22 13:10

Sarfraz


Along the lines of smarty, give twig a try!

There is also a very robust extension system which allows you to allow/disallow built-in or custom tags, token parsers, nodes, etc in the template language itself. This way, users can have basic logic (conditional statements, "functions" (blocks) and iterators) without resorting to the evils of eval.

like image 44
efritz Avatar answered Oct 11 '22 14:10

efritz


Tried Smarty? http://www.smarty.net/

like image 23
Homer6 Avatar answered Oct 11 '22 13:10

Homer6


The PECL runkit extension does provide sandboxing, but it's possibly a bit overkill for what you want to do

like image 23
Mark Baker Avatar answered Oct 11 '22 13:10

Mark Baker


PHP Fat-Free Framework has a template engine that prohibits the use of PHP code and allows you to define which functions can be used inside HTML templates.

There's also a real sandboxing feature that makes functions and include files independent of others, i.e. variables/functions in one include file are not known to others, so you can have a function with an identical name as another include file. This may be of some use for (dysfunctional) developer teams.

like image 34
bcosca Avatar answered Oct 11 '22 13:10

bcosca