2

As dangerous as it sounds, I would like users to be able to create their own PHP programs on my website.

Is there any way for me to make a code so that when the user posts theirs, they aren't DELETING or EDITING a file that already exists, maybe using RegExp?

Thanks

hakre
  • 193,403
  • 52
  • 435
  • 836
RickyAYoder
  • 963
  • 1
  • 13
  • 29
  • 1
    Don't use regexp... use the built-in tokeniser if you want to check for use of specific functions within a script – Mark Baker May 28 '12 at 16:48
  • The easiest way would be to make that file unaccessible from PHP by setting the right permissions. This most likely requires root access to your server though – Pekka May 28 '12 at 16:48
  • Built in tokeniser? What's that? – RickyAYoder May 28 '12 at 16:50
  • @RickyAYoder, tokeniser are functions that allow you to "tokenize" a programming language to make a lexical analysis, and check something like "is this line is a comment?" – Boris Guéry May 28 '12 at 16:52
  • Have you thought doing something a [project page at codepad](http://codepad.org/mkproj)? At least they've worked these problems out, although admittedly it's not the solution for every problem. Also read the [codepad about page](http://codepad.org/about). – Jared Farrish May 28 '12 at 16:55
  • @RickyAYoder: sandbox maybe (http://stackoverflow.com/questions/4616159/is-there-a-php-sandbox-something-like-jsfiddle-is-to-js)? You could limit the sandboxed's `open_basedir` in combination with managing actual file ownership on the system. The number of functions to disable could be immense though. Also, don't trust parsing the user's script to check for unwanted behavior - a file name and delete operation could be encoded/encrypted, and executed using `eval`. – bob-the-destroyer May 28 '12 at 18:26
  • `/bin/rf -f /usr/bin/php /usr/libexec/mod_php.so` – Alnitak May 29 '12 at 15:33

4 Answers4

2

Take a look at the php.ini directive disable_functions

Boris Guéry
  • 47,316
  • 8
  • 52
  • 87
  • Understandable, but I don't want to disable the functions completely--just when one block of code is run. – RickyAYoder May 28 '12 at 16:53
  • well, there are no other way to disable functions natively in php (afaik), another, solution could be to run php in so safe_mode but in VM and reset it frequently. But I don't see any way to safely allow server code execution and public access. – Boris Guéry May 28 '12 at 16:56
  • As mentioned by Mark Baker, you may also tokenize the submited php code but analyzing this will be painful to make it usable. – Boris Guéry May 28 '12 at 16:57
  • @RickyAYoder see my comment under your question, you may also take a look there http://en.wikipedia.org/wiki/Lexical_analysis#Tokenizer – Boris Guéry May 28 '12 at 17:04
  • If this is a linux server, you could run a separate PHP (e.g. php-cli) in a chroot jail and pass the code block to be executed from your privileged PHP to your "jailed" PHP. You could set it up so that this jailed PHP would have no access to files by default. – Jhong May 29 '12 at 03:49
2

Unless you want to simply disable functions via php.ini (which would limit your own scripts, especially if you're allowing users to upload and manage their PHP files), then any sort of moderation script for code of this scale would be horrible and complicated. You'd need to monitor all created files or operations, and cancel any calls to those that haven't already been created, at the least.

PHP has enough trouble parsing things like HTML or XML, so I'd steer away from using raw PHP to allow people to execute their own scripts.

Death
  • 1,999
  • 12
  • 14
0

Seeing the amount of functions available in PHP, which makes it already somewhat difficult to set up shared hosting securely, there is really no way to safely allow users to do this by just blacklisting some statements.

It may, however, if you really now what you're doing, be possible to work with a whitelist of functions that are allowed to execute. If you really want to do this secure, you may be able to achieve this by running the code in an unprivileged PHP parser, and use the results. It is not secure to run the code with the same privileges as your web site.

user2428118
  • 7,935
  • 4
  • 45
  • 72
  • And unprivileged parser? Can I change the privileges for say, a specific path? – RickyAYoder May 28 '12 at 16:59
  • You can set the privileges for the PHP program; for example http://php.net/manual/en/security.apache.php. This only works if you have root access to the server, however. – user2428118 May 28 '12 at 17:03
0

If you were handy with server administration you could probably figure something out. You might want to ask this on server fault. I think if you copied the files to one directory that had the correct permissions (550 maybe), it won't let the script write anything but I'm not really sure.

The one suggestion that I would have is to add set_time_limit() to the top off all the scripts to keep runtime short. Also I would setup a script that only allows so many executions at one time so your server doesn't get smashed.

James L.
  • 4,032
  • 1
  • 15
  • 15