Execute PHP code with restrictions

Question

We have a CMS editor where php is allowed to be used inside it, however we need to restrict access some commands such as file_get_contents, file(), and global.

Can someone help me with a boolean response regex for that? The text from the template is stored in a string.

I know, probably not an ideal method for this but it's all I can come up with for now :)

you're definitely running into problems with that. what about `$a = 'file'; $a();`? — knittl, Mar 20 '11 at 08:50
Related: http://stackoverflow.com/questions/3115559/exploitable-php-functions/ — Unicron, Mar 20 '11 at 09:00

NikiC · Accepted Answer · 2011-03-20T09:20:24.740

What you want to do is pretty much impossible. It is really hard to protect yourself against attacks if you allow people to execute code on your machine.

Here is the try I had on it: Sandbox. Source code.

What it does is basically maintain a large list of blacklisted functions for filesystem access, shell access, a.s.o (I allowed some functions for reading the filesystem like show_source that should not be allowed if you want to use it for something real.)

It also tries to protect from more hidden attacks like $func = 'unlink'; $func(__FILE__); by turning it into $func = 'unlink'; ${'___xyz'.!$___xyz=Sandbox::checkVarFunction($func)}(__FILE__) a.s.o.

PS: Still you probably don't want to allow people to run PHP code on your site. The risk is just by far too big. Instead I would allow people to use a templateing language inside the editor. A good candidate would be Twig, because it has a built in sandbox which allows you to restrict usage to certain tags, functions, ...

I was actually just about to ask for the source code :) thanks! — Joe, Mar 20 '11 at 09:12
@Joe you can get the source by doing `hightlight_file('./src/Sandbox.php');` ;) — alexn, Mar 20 '11 at 10:49

score 2 · Answer 2 · answered Mar 20 '11 at 09:02

It's going to be very hard to protect yourself perfectly.

As I see it, you have a few options:

Search for predefined strings which is not allowed in your content (like file_get_contents) and display a error message saying that the user cannot save because of this. This will however lead to "hacks" where you'll end up searching for all possible characters, like () which can be valid in some cases.
Use token_get_all and try to parse the content as PHP. You can then loop through the whole source code, token by token, and see if you find a token you do not accept.
Write your own language or DSL for this. This language should only be capable of doing exactly what you want. Depending on your requirements, this can be the easiest and most maintainable way to go.

score -3 · Answer 3 · answered Mar 20 '11 at 08:53

-3

You can use preg_match for this. Use:

if(preg_match("#(file_get_contents|file)\(#i",$text))

answered Mar 20 '11 at 08:53

Jens

1,499
3
17
28

1

What about `$evil = "fi"."le"."_get_contents"; $evil($url);`? – Unicron Mar 20 '11 at 08:58
True, didn't even think that far. Bit strange to publicly allow php code. – Jens Mar 20 '11 at 09:09

Execute PHP code with restrictions

3 Answers3

Linked