2

I know this question sounds easy to answer, and I must have missed something somewhere, but after searching, I can't find an answer. I only can find answers about wrapping functions in classes, but I would like to wrap functions themselves, such as fopen.

Why: This may sound strange, but I want to make a site builder in which you write code and it saves it on your account. You should be able to write PHP, but of course you shouldn't delete or open server files, so I want to wrap functions so that I can first check if their fopen, rmdir, or similar functions are safe.

Lakshya Raj
  • 1,669
  • 3
  • 10
  • 34
  • I don't understand the question, you can just put `fopen()` in a func like `myFopen()` that checks the input and output before returning. Is that what you mean? – symlink Feb 19 '21 at 18:35
  • @symlink: Yes, but then they can simply just use `fopen` and not `myFopen`, therefore making the attempt useless. – Lakshya Raj Feb 19 '21 at 18:36
  • So you want to expose your own functions to them, but not give them access to the rest of PHP? – symlink Feb 19 '21 at 18:38
  • @symlink: Yes, precisely. From JS, I thought something like `fopen=function(){if(safe){execute fopen;};`, but function wrapping made more sense. In PHP I think/know you can't assign functions. – Lakshya Raj Feb 19 '21 at 18:39
  • I think when you handle their input, you can just check to see if isn't one of your functions, and then execute one of your functions based on the input. Is that what you're looking for? – symlink Feb 19 '21 at 18:42
  • I think that's better ensured by the webserver running the code and/or the user setup of the machine underneath. That said, yes, some plugins intercept PHP native functions for e.g. metrics. – Ulrich Eckhardt Feb 19 '21 at 18:42
  • How are they entering the input? Are they typing it into a textarea and submitting a form? – symlink Feb 19 '21 at 18:43
  • @Mar: That looks interesting. Let me try it. Will let you know if it works – Lakshya Raj Feb 19 '21 at 18:46
  • @Mar: That needs an APD (Advanced PHP Debugger). Not very sure about if to and how to use it. – Lakshya Raj Feb 19 '21 at 19:00
  • @symlink: Yes, let's say that they type into a text area and send a POST request to the server to save the code. – Lakshya Raj Feb 19 '21 at 19:24
  • 2
    The reason you're struggling to find anything about this is that what you're asking for wouldn't normally be called "wrapping" - that would normally just mean a new function with a new name. What you seem to be asking for is a way to "replace", "shadow", or "over-ride" built-in functions. – IMSoP Feb 19 '21 at 19:25
  • take a look at this https://stackoverflow.com/questions/3100538/how-to-overwrite-existing-php-functions-without-apd – Mar Feb 19 '21 at 19:30
  • @Mar: I'm going to use the namespace answer or [the whitelist approach](https://stackoverflow.com/a/66283970/14469685). They seem to require the least setup, and won't be too complicated. – Lakshya Raj Feb 19 '21 at 19:40
  • Another possible dupe: https://stackoverflow.com/questions/530649/is-it-possible-to-replace-monkeypatch-php-functions In fact, although I've posted an answer based on your comments, the actual text of this question doesn't say anything those three don't, so I'm going to go ahead and mark it duplicate. – IMSoP Feb 19 '21 at 19:40

1 Answers1

3

Frame challenge: if you did succeed in this, it would be using a blacklist to achieve security, which is basically impossible to do effectively. For every function you replace with a "safe" version, there will be ten you hadn't thought of that can be used in a malicious way.

Instead, you should either use a whitelist or a sandbox.

In a whitelist approach, you don't let the user enter normal PHP at all, but a special set of functionality that you've carefully picked to allow them to do what they need. That could be an actual subset of PHP that you parse with something like nikic/php-parser, a templating language like Twig, or a completely new language you write a simple parser for.

In a sandbox approach, you allow the user to enter full PHP, but you run it in an isolated environment where they can't affect your real server. Any access to the file system or network would only be accessing virtual resources, and if the process abuses CPU or memory resources, the entire sandbox can be terminated. See for instance how the 3v4l.org site is hosted.

IMSoP
  • 89,526
  • 13
  • 117
  • 169