PHP - Sandboxing | ansaurus

views:

257

answers:

+4 Q:

PHP - Sandboxing

Hi all,

I want to limit what PHP functionality my users have access to.

For instance there is an object $data and the user likes to use if for and echo.

Obviously allowing him to write PHP would be a serious vulnerability.

Is there any way to run this PHP in a sandbox or would you recommend any lightweight PHP template engine?

+1 A:

Tried Smarty? http://www.smarty.net/

Homer6 2010-07-23 07:24:03

There is also Dwoo: http://dwoo.org/ which is more PHP5-ish

Macmade 2010-07-23 09:15:39

@Ghommey: If you really only want customizeable output, then this is your choice. A template engine is a lot easier to maintain than a php-sandbox.

Baju 2010-07-28 20:50:17

+1 A:

The PECL runkit extension does provide sandboxing, but it's possibly a bit overkill for what you want to do

Mark Baker 2010-07-23 09:13:27

+4 A:

The only one I know so far is runkit.

The runkit extension provides means to modify constants, user-defined functions, and user-defined classes. It also provides for custom superglobal variables and embeddable sub-interpreters via sandboxing.

Update:

I could find these two links regarding zend and runkit you should take a look at:

http://framework.zend.com/wiki/display/ZFPROP/Zend_Http_Server+-+Mat+Scales
http://www.dunfy.me.uk/?p=38

Sarfraz 2010-07-25 20:33:51

Runkit requires Thread Safety to be enabled and Zend requires Thread Safety to be disabled.. Is there a way to use Zend and Runkit?

Ghommey 2010-07-25 21:31:18

`The Runkit_Sandbox class is only available as of PHP 5.1.0 or specially patched versions of PHP 5.0, and requires that thread safety be enabled`In my `phpinfo()` runkit is enabled however runkit_sandbox is disabled probably because of the the thread safety

Ghommey 2010-07-26 06:12:12

@Ghommey: That's what we have so far :(

Sarfraz 2010-07-26 06:16:01

+4 A:

Along the lines of smarty, give twig a try!

There is also a very robust extension system which allows you to allow/disallow built-in or custom tags, token parsers, nodes, etc in the template language itself. This way, users can have basic logic (conditional statements, "functions" (blocks) and iterators) without resorting to the evils of eval.

efritz 2010-07-26 05:14:46

+1 for proposing Twig - it is BEST!

nikic 2010-07-30 11:12:36

Twig blows smarty out of the water and it's still in active development.

Kendall Hopkins 2010-07-31 03:47:53

+1 A:

PHP Fat-Free Framework has a template engine that prohibits the use of PHP code and allows you to define which functions can be used inside HTML templates.

There's also a real sandboxing feature that makes functions and include files independent of others, i.e. variables/functions in one include file are not known to others, so you can have a function with an identical name as another include file. This may be of some use for (dysfunctional) developer teams.

stillstanding 2010-07-30 11:18:39

+6 A:

If you don't have your own server you probably don't have runkit. But what you do have (probably) is Tokenizer! Using the Tokenizer you may look through the given source code and abort if you find an invalid token. Here an example how to validate an array using this. You could do same for your purpose. The PHP documentation has a list of tokens. If you need help deciding which tokens to allow or to disallow, please say so.

€dit: And obviously I do recommend to use Twig, too. It is so nice - and has sandboxing!

nikic 2010-07-30 11:18:59

Twig has sandboxed template code. This is not as good as runkit-sandbox but I don't have to reinstall the php server. Thank you very much!

Ghommey 2010-07-30 14:24:25

ansaurus

tags:

views:

answers:

PHP - Sandboxing

related questions