-1

Is there a way to safely run a user-supplied PHP script? I think I must disable:

  • fopen and all other file related functions
  • exec and other way to execute a command
  • curl
  • mail to prevent spam

Is that enough? How I can disable all that stuff(only for that script, not for my scripts)?

Thanks for help.

Zhigalin - Reinstate CMs
  • 746
  • 1
  • 9
  • 33
  • Possible duplicate of [Is there a way to execute php code in a sandbox from within php](http://stackoverflow.com/questions/324726/is-there-a-way-to-execute-php-code-in-a-sandbox-from-within-php) and many others – JJJ Dec 20 '15 at 10:34
  • @Juhana No, that question is about an environment sandbox, while mine is about a security sandbox for user supplied scripts. – Zhigalin - Reinstate CMs Dec 20 '15 at 10:39

1 Answers1

2

Have a look at Runkit_Sandbox: http://php.net/manual/en/runkit.sandbox.php

Instantiating the Runkit_Sandbox class creates a new thread with its own scope and program stack. Using a set of options passed to the constructor, this environment may be restricted to a subset of what the primary interpreter can do and provide a safer environment for executing user supplied code.

Manikiran
  • 2,618
  • 1
  • 23
  • 39
  • Thanks, can you also suggest a list of functions/classes I must disable to prevent any interaction with the host machine? – Zhigalin - Reinstate CMs Dec 20 '15 at 10:45
  • Please have a look at all possible security attacks and then disable those functions which you would not need. http://php.net/manual/en/security.cgi-bin.attacks.php – Manikiran Dec 20 '15 at 10:51
  • Actually, have a complete look of all security issues in php. http://php.net/manual/en/security.php – Manikiran Dec 20 '15 at 10:52
  • And don't forget to choose my answer if it helps you – Manikiran Dec 20 '15 at 10:53
  • Well, links you gave me are talking of external attacks, while in my case there is a malicious script I have to run, in my question there is a list of things I think I must disable, but I am sure I has forgotten something... – Zhigalin - Reinstate CMs Dec 20 '15 at 11:07