I am using create_function to run some user-code at server end. I am looking for any of these two:
我正在使用create_function在服务器端运行一些用户代码。我正在寻找这两个中的任何一个:
- Is there a way to sanitize the code passed to it to prevent something harmful from executing?
- Alternately, is there a way to specify this code to be run in a sandboxed environment so that the user can't play around with anything else.
有没有办法清理传递给它的代码,以防止执行有害的东西?
或者,有没有办法指定此代码在沙盒环境中运行,以便用户无法使用其他任何东西。
Thanks!
8 个解决方案
#2
You could use the tonkenizer to figure out what the code will do, then whitelist certain functions and operations. I think it would end up being very difficult (or impossible) to make it foolproof, especially given PHP's flexibility:
您可以使用tonkenizer来确定代码将执行的操作,然后将某些功能和操作列入白名单。我认为最终将它变得非常困难(或不可能)使其变得万无一失,特别是考虑到PHP的灵活性:
$f = "shell_exec";
$arg = 'rm -rf /';
$f($arg); // ouch
call_user_func($f, $arg); // ouch
eval("$f('$arg');"); // ouch
$newF = create_user_function('', "$f('$arg');");
$newF(); // ouch
The only kind of sandbox that will give you 100% security (well, 99.9%...) is a virtual machine you can just throw away afterwards.
唯一能给你100%安全性的沙箱(好吧,99.9%......)是一个虚拟机,你可以随后扔掉。
#3
We use the tokenizer to analyze code statically, as well as modify the code to perform runtime checks for certain things. This is done with the tokenizer and scripts based on the tokenizer. Since the tokenizer is the same one PHP actually uses, it improves your luck over writing your own.
我们使用tokenizer静态分析代码,并修改代码以对某些事情执行运行时检查。这是通过基于tokenizer的tokenizer和脚本完成的。由于标记化器与PHP实际使用的标记化器相同,因此它可以提高您编写自己的运气。
I've seen people using regexes to try to analyze a language. This is a really bad idea.
我见过人们使用正则表达式试图分析一种语言。这是一个非常糟糕的主意。
But ...
Since PHP is a pretty stupid-easy grammar, and you have access to the tokenizer, you can actually stop most of the badness by disallowing variable functions, and only allowing a small number of whitelisted functions to be called. If you don't need OOP, even better.
由于PHP是一个非常简单易懂的语法,并且您可以访问标记化器,因此您实际上可以通过禁止变量函数来阻止大部分错误,并且只允许调用少量白名单函数。如果你不需要OOP,那就更好了。
However, we don't feel confident enough that we nailed 100% of the problems, and we use this to power a sandbox for the backend users who are paying customers, not every user on planet earth with a keyboard, and perhaps malice.
但是,我们对100%的问题没有足够的信心,我们使用它来为后端用户提供沙箱,这些用户是支付客户的,而不是地球上每个使用键盘的用户,也许还有恶意。
I too think the people here who poo-poo the idea 100% as "bad practice" need to get a clue. There are reasons to do this.
我也认为这里的人们把这个想法100%作为“坏习惯”的人需要得到一个线索。有理由这样做。
#4
You cannot reliably sanitize the user input - a determined hacker will find some obscure way to circumvent your sanitization code.
您无法可靠地清理用户输入 - 确定的黑客会找到一些模糊的方法来规避您的清理代码。
Sandboxing could be possible, but is equally crippling. If you really want to be safe, you should create a sandbox for each call. After all, someone could execute bogus code that is harmful to all other users of your sandbox.
沙盒可能是可能的,但同样瘫痪。如果你真的想要安全,你应该为每个电话创建一个沙箱。毕竟,有人可能会执行对您沙盒的所有其他用户有害的虚假代码。
I don't think you really want to allow that. Think of it this way: you are providing programmatic access to the server!
我不认为你真的想要允许。可以这样想:您正在提供对服务器的编程访问!
#5
You could try using Quercus, a Java based PHP interpreter, to create a safe sandboxed PHP environment. You can do the same for JavaScript using Rhino, so I think it might be possible with Quercus.
您可以尝试使用基于Java的PHP解释器Quercus来创建安全的沙盒PHP环境。您可以使用Rhino对JavaScript执行相同的操作,因此我认为Quercus可能会这样做。
#6
You could consider creating a custom(ized) language that your users can make use of. Then it's up to you to create the library of supported functions that could very well be just wrappers of PHP's native functions. But even then, making it hack-proof or simply working is a tedious job at best. Perhaps you should re-evaluate why you want users to have code access in the first place? I'd love to help out if you need someone to discuss this with (or update your question, I guess? :)
您可以考虑创建用户可以使用的自定义(ized)语言。然后由您来创建支持函数库,这些函数很可能只是PHP本机函数的包装器。但即使这样,使其成为防黑客或仅仅工作也是一项乏味的工作。也许您应该重新评估您希望用户首先获得代码访问权限的原因?如果你需要有人与之讨论(或者更新你的问题,我猜?)我很乐意帮忙
Hope you can work it out!
希望你能解决它!
-Dave
#7
The is a class on GitHub that may help, early stages but looks promising.
这是一个关于GitHub的课程,可能有所帮助,早期阶段但看起来很有希望。
#8
Overall bad idea and too dangerous IMO, no matter what protections you put into place. Better create a pseudo-language limited to exactly what users are allowed to do.
无论你采取什么保护措施,整体糟糕的想法和太危险的IMO。更好地创建一种仅限于允许用户执行操作的伪语言。
#1
#2
You could use the tonkenizer to figure out what the code will do, then whitelist certain functions and operations. I think it would end up being very difficult (or impossible) to make it foolproof, especially given PHP's flexibility:
您可以使用tonkenizer来确定代码将执行的操作,然后将某些功能和操作列入白名单。我认为最终将它变得非常困难(或不可能)使其变得万无一失,特别是考虑到PHP的灵活性:
$f = "shell_exec";
$arg = 'rm -rf /';
$f($arg); // ouch
call_user_func($f, $arg); // ouch
eval("$f('$arg');"); // ouch
$newF = create_user_function('', "$f('$arg');");
$newF(); // ouch
The only kind of sandbox that will give you 100% security (well, 99.9%...) is a virtual machine you can just throw away afterwards.
唯一能给你100%安全性的沙箱(好吧,99.9%......)是一个虚拟机,你可以随后扔掉。
#3
We use the tokenizer to analyze code statically, as well as modify the code to perform runtime checks for certain things. This is done with the tokenizer and scripts based on the tokenizer. Since the tokenizer is the same one PHP actually uses, it improves your luck over writing your own.
我们使用tokenizer静态分析代码,并修改代码以对某些事情执行运行时检查。这是通过基于tokenizer的tokenizer和脚本完成的。由于标记化器与PHP实际使用的标记化器相同,因此它可以提高您编写自己的运气。
I've seen people using regexes to try to analyze a language. This is a really bad idea.
我见过人们使用正则表达式试图分析一种语言。这是一个非常糟糕的主意。
But ...
Since PHP is a pretty stupid-easy grammar, and you have access to the tokenizer, you can actually stop most of the badness by disallowing variable functions, and only allowing a small number of whitelisted functions to be called. If you don't need OOP, even better.
由于PHP是一个非常简单易懂的语法,并且您可以访问标记化器,因此您实际上可以通过禁止变量函数来阻止大部分错误,并且只允许调用少量白名单函数。如果你不需要OOP,那就更好了。
However, we don't feel confident enough that we nailed 100% of the problems, and we use this to power a sandbox for the backend users who are paying customers, not every user on planet earth with a keyboard, and perhaps malice.
但是,我们对100%的问题没有足够的信心,我们使用它来为后端用户提供沙箱,这些用户是支付客户的,而不是地球上每个使用键盘的用户,也许还有恶意。
I too think the people here who poo-poo the idea 100% as "bad practice" need to get a clue. There are reasons to do this.
我也认为这里的人们把这个想法100%作为“坏习惯”的人需要得到一个线索。有理由这样做。
#4
You cannot reliably sanitize the user input - a determined hacker will find some obscure way to circumvent your sanitization code.
您无法可靠地清理用户输入 - 确定的黑客会找到一些模糊的方法来规避您的清理代码。
Sandboxing could be possible, but is equally crippling. If you really want to be safe, you should create a sandbox for each call. After all, someone could execute bogus code that is harmful to all other users of your sandbox.
沙盒可能是可能的,但同样瘫痪。如果你真的想要安全,你应该为每个电话创建一个沙箱。毕竟,有人可能会执行对您沙盒的所有其他用户有害的虚假代码。
I don't think you really want to allow that. Think of it this way: you are providing programmatic access to the server!
我不认为你真的想要允许。可以这样想:您正在提供对服务器的编程访问!
#5
You could try using Quercus, a Java based PHP interpreter, to create a safe sandboxed PHP environment. You can do the same for JavaScript using Rhino, so I think it might be possible with Quercus.
您可以尝试使用基于Java的PHP解释器Quercus来创建安全的沙盒PHP环境。您可以使用Rhino对JavaScript执行相同的操作,因此我认为Quercus可能会这样做。
#6
You could consider creating a custom(ized) language that your users can make use of. Then it's up to you to create the library of supported functions that could very well be just wrappers of PHP's native functions. But even then, making it hack-proof or simply working is a tedious job at best. Perhaps you should re-evaluate why you want users to have code access in the first place? I'd love to help out if you need someone to discuss this with (or update your question, I guess? :)
您可以考虑创建用户可以使用的自定义(ized)语言。然后由您来创建支持函数库,这些函数很可能只是PHP本机函数的包装器。但即使这样,使其成为防黑客或仅仅工作也是一项乏味的工作。也许您应该重新评估您希望用户首先获得代码访问权限的原因?如果你需要有人与之讨论(或者更新你的问题,我猜?)我很乐意帮忙
Hope you can work it out!
希望你能解决它!
-Dave
#7
The is a class on GitHub that may help, early stages but looks promising.
这是一个关于GitHub的课程,可能有所帮助,早期阶段但看起来很有希望。
#8
Overall bad idea and too dangerous IMO, no matter what protections you put into place. Better create a pseudo-language limited to exactly what users are allowed to do.
无论你采取什么保护措施,整体糟糕的想法和太危险的IMO。更好地创建一种仅限于允许用户执行操作的伪语言。