0

I was reading : When (if ever) is eval NOT evil? and a few others guides on the net when to use eval and when not. None of this posts could really answer my question about security concerns in regard of dynamic class compositing at run-time.

Background : As we can't use PHP 5.4 traits to properly mixin in classes into each other, we needed another solution to get dynamic mixins. So we found this particular class on on Github : https://github.com/wellspringworldwide/PHP-ClassMixer/blob/master/ClassMixer.php which does exactly what we want.

I am not really an expert to evaluate such code in regard of potential security risks but maybe somebody on Stackoverflow knows what the risks are of such methods.

As far I understood, the base for security concerns with this method of using eval for class composition are only given when

  1. The class to be mixed into another class is accessible and modifiable from outside, for instance file or RPC access
  2. A user can gain access to the running context, ie, the surrounding code loads plugin code
  3. A user gains access to the applications working memory and alters data there.

None of these circumstances are given in our application but I am not sure there are other conditions we need to think about when using eval that way !?

thank you.

Community
  • 1
  • 1
xamiro
  • 1,391
  • 1
  • 16
  • 32

1 Answers1

1

Eval basically is bad because it's eval() :D

No seriously:

You should NEVER compose some source and throw it into eval. As soon as your script composing the source has any dependent data sources like a DB backend, the file system reading (especially text-)files or (even worse) some form data there's always the chance of invasive and damaging code being injected. (e.g. ;exec('rm -rf /');)

Using the Decorator Pattern might help you out. Please read this and that as a primer to understanding the Decorator Pattern.

Anticom
  • 975
  • 13
  • 29
  • Hi, thank your for you answer but I am sorry, its not really unrevealing the security risks apart from eval is evil. Then the decorator pattern is nice but that is not real conditional/dynamic class composting at run-time and also very limited plus its creates even more bloat which we'd like to avoid. thanks again! – xamiro Apr 17 '14 at 13:01
  • So what purpose should your classes serve? There certainly are code generators like e.g. in doctrine or symfony. Maybe I didn't quite get, what you want to do. – Anticom Apr 21 '14 at 13:09
  • pretty much all, from logging,variable resolvers, debugging, permission descriptors, and plenty of other things I need to add to an existing class. the problem is that static code generators are useless as even the classes to be mixed in are composed as well. – xamiro Apr 21 '14 at 16:15