un-exploitable php functions (whitelist)

Question

Does anyone have a prepared whitelist of as many as possible secure / unexploitable PHP functions?

I am building a web application where user enters the Smarty template (Smarty version 3). Application runs this template through Smarty (with proper Smarty_Security in place) and then cleans the resulting HTML with HTMLPurifier.

Everything seems safe to me, but the users need functions so they can be used as Smarty modifiers. I can whitelist them one by one, but it would take a lot of effort and would be error-prone. I have only found a blacklist - Exploitable PHP functions.

This is a somewhat similar question, but there are no suitable answers (for my case).

Which functions do the users need? You have not shared that with your question, so probably you should. Additionally, what is the meaning of "exploitable" in your question. You have not written what you consider an exploit. Is this on the level of a three month old child fearing the world and therefore crying for mommy (one solution does it all) or is this more concrete? — hakre, May 11 '12 at 10:32
I agree, I was maybe a bit vague in the question - however, [exploitable PHP functions](http://stackoverflow.com/questions/3115559/exploitable-php-functions) defines possible problems pretty well. I am basically looking for a function list that avoids them. — johndodo, May 12 '12 at 15:53
Take the superset of all functions in PHP and create the difference to the subset of the exploitable PHP functions. You then have negation of exploitable PHP functions which might be then the un-exploitable php functions. (if the defintion of exploitation can be clearly negated that way, I personally doubt it, but it's a free country) — hakre, May 12 '12 at 15:56
This http://php.net/manual/en/aliases.php and this http://www.php.net/manual/en/indexes.functions.php might be helpful. — hakre, May 12 '12 at 15:57
Thanks, hakre - if noone can supply the precompiled list I will use this to make one. — johndodo, May 13 '12 at 09:13
As I tried to made more clear to you: **Your** list is what **you** think is secure. **Others** will think totally differently. And to add: **If anybody is posting you a list of "secure" functions, I won't trust him/her at all. The list might be for something completely different than you needs and I don't mean Smarty, I mean your site + app + customer + clients + users + designers**. — hakre, May 13 '12 at 09:43
No need to shout, I understood you - I just don't agree with you. Given the use case I think it is pretty clear which functions should be considered safe and which not. I also think the use case is pretty common. — johndodo, May 13 '12 at 09:48
let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/11191/discussion-between-hakre-and-johndodo) — hakre, May 13 '12 at 09:49

score 2 · Accepted Answer · answered Apr 19 '12 at 10:23

2

Smarty_Security starts out with

$php_functions = array(
    'isset', 'empty',
    'count', 'sizeof',
    'in_array', 'is_array',
    'time',
    'nl2br',
);

adding the (presumably safe) operations for math and some more date and array stuff:

$php_functions = array(
    'isset', 'empty',
    'count', 'sizeof',
    'in_array', 'is_array', 'join', 'explode'
    'time', 'date', 'strtotime', 'strftime'
    'nl2br',
    'intval', 'floatval', 'rand', 'srand', 
    'log', 'log10', 'pi', 'pow', 'sqrt', 'exp', 
    'floor', 'ceil', 'round', 'min', 'max', 'abs',
    'sin', 'cos', 'tan', 'atan', 'atan2',
);

answered Apr 19 '12 at 10:23

rodneyrehm

13,442
1
40
56

Thanks! But I am looking for a somewhat larger list - for instance array_shift, array_pop & similar should be in there too... There should be hundreds of entries. I will add your entries to my current list though. :) – johndodo Apr 19 '12 at 10:38
I'm not sure you really want to be doing any `array_shift()` in a template. You could of course start with a reasonable set of allowed functions and add to the list once someone requires specific functions… – rodneyrehm Apr 19 '12 at 11:44
@rodneyrehm Is it reasonable to consider all "read-only" functions to be safe? – noisebleed Apr 19 '12 at 11:54
no. `file_get_contents()` is a readonly function, but could be abused to output a file you don't want public. – rodneyrehm Apr 20 '12 at 07:00
@rodneyrehm: I need to allow user to manipulate his variables (arrays, strings,...) as much as possible. I see no problem with `array_shift()` - do you? Note that user only sees the variables which are local to him. – johndodo Apr 20 '12 at 07:46
I don't see any particular problem with `array_shift()`. I'm just wondering what you'd need it for in a template. While we're at arrays, see http://stackoverflow.com/questions/3115559/exploitable-php-functions/3697776#3697776 - don't allow anything that takes a callback – rodneyrehm Apr 20 '12 at 09:08
You want to *control* stuff in your *view*? *Does not sound like a good idea* – dan-lee May 11 '12 at 09:41
`time` is a function prone to information disclosure, I would not consider it secure. – hakre May 11 '12 at 10:33
@Dan Lee: actually the scenario is a bit more complicated than that. I must allow users to enter views that other users will see too. And I need to make sure the other users can do it safely (no XSS, no filesystem manipulation, no mail(),...). – johndodo May 12 '12 at 16:02

score 2 · Answer 2 · edited May 23 '17 at 11:47

2

Did you see that great topic? Exploitable PHP functions

So you can make "array_diff" between list of allowed functions and list of danger functions in your mind.

edited May 23 '17 at 11:47

Community

1
1

answered May 11 '12 at 10:23

Vladimir Posvistelik

3,843
24
28

... yet another useful article: http://security.stackexchange.com/questions/1382/disable-insecure-dangerous-php-functions – Vladimir Posvistelik May 11 '12 at 14:30
Thanks, I mentioned [Exploitable PHP functions](http://stackoverflow.com/questions/3115559/exploitable-php-functions) in the question. However, making an (automated) diff between all functions and (known) unsafe function does **not** produce a whitelist of safe functions - it is still just as good as a original blacklist (which is probably not complete). I would rather have an incomplete whitelist than a *supposedly* complete blacklist. :) – johndodo May 12 '12 at 15:43

un-exploitable php functions (whitelist)

2 Answers2