SitePoint Sponsor

User Tag List

Results 1 to 17 of 17

Thread: Limiting PHP

  1. #1
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Limiting PHP

    Whats the best way to limit php functions available, i'm going to be using the eval function to run users basic PHP scripts, but I want to do this with limited functionailty, so the server is not open to attacks.

    such as disabling "fopen" and numerous other functions, which will not be authorised to certain users. lycos have done something similar to this @ http://www.tripod.lycos.co.uk

  2. #2
    ********* wombat firepages's Avatar
    Join Date
    Jul 2000
    Location
    Perth Australia
    Posts
    1,717
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think lycos would be using the php.ini confiuration option 'disable_functions' where you can supply a list of functions to disable , you can only set this in the php.ini or httpd.conf and not at runtime via ini_set();

    ...you could have an array of function names and parse the eval'ed code for them but that would be hit and miss and very slow as you would have to use regex, a bit of a nightmare to code and still possibly open to abuse ?

  3. #3
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, I realised that. I cannot disable the ini file as it would stop my script from using functions it needs to work...

    I think I will try a reg exp, then copy the output to a file, instead of using eval each time...

    thanks

  4. #4
    No. Phil.Roberts's Avatar
    Join Date
    May 2001
    Location
    Nottingham, UK
    Posts
    1,142
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To be honest, disabling fopen() is like hanging out a flag displaying your security vunerabilities. I know of one kiddie host that did this once and they were hacked to death within a matter of days.

    Unless you run hosting that absolutly demands the highest possible security then using safe_mode is so restrictive it completly disables scripts that require file handling abilities. If you're a professional host then you should know how to safeguard your server without resorting to crippling your PHP installation. All that will do is drive your users away.

  5. #5
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    He's not really on about for hosting, what he said was that he would be parsing sections of user submitted PHP (from any old joe) and wanted to make sure they couldn't do anything like write files or exec other programs etc.
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  6. #6
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Phil.Roberts
    To be honest, disabling fopen() is like hanging out a flag displaying your security vunerabilities. I know of one kiddie host that did this once and they were hacked to death within a matter of days.

    Unless you run hosting that absolutly demands the highest possible security then using safe_mode is so restrictive it completly disables scripts that require file handling abilities. If you're a professional host then you should know how to safeguard your server without resorting to crippling your PHP installation. All that will do is drive your users away.
    Thats right karl, although i'm leveraging users with the ability to customise there site / section of the portal, I will be offering a few methods of customisation, such as wysiwyg / html / xslt / php / to make things as flexible as possible to automate certain tasks for the user.


    Phil I do agree with you however, knowing some companies they tend to turn a blind eye and this feature could be more trouble than its worth. So I may implement this feature at a later date if it gets some interest...
    Last edited by Andrew-J2000; Mar 6, 2003 at 13:19.

  7. #7
    Non-Member
    Join Date
    Jan 2003
    Posts
    5,748
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I can't offer any help at this time, though I'd be interested in how things pan out later 8)

  8. #8
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sounds dangerous ...

    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  9. #9
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by seanf
    Sounds dangerous ...

    Sean
    I'm not so sure, the only way I can see it being dangerous is if I code it poorly, which means I must include every function, which can be maliciously used. What do you think?

    An example is the eval tag all though it might not seem that users can do much with it, it could be used for malicious could to be grouped together... Thus the need to ban that function

  10. #10
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yeah, i'd definitly ban eval.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  11. #11
    SitePoint Wizard gold trophysilver trophy
    Join Date
    Nov 2000
    Location
    Switzerland
    Posts
    2,479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I thought PHP 4.3.0 was supposed to bring the possibility of allowing safe mode on a pre directory basis, with .htaccess / httpd.conf . Check the manual there's no sign of it. May be this will turn up in PHP 5

    This may be one situation where you'd want to consider Smarty, it being almost a complete language now.

    This other thing you could consider - the tokenizer extension. It will be a lot of work but basically you can use it to read a PHP script, analyse the contents then decide which functions you want to allow.

  12. #12
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks everyone...

    Harry theres no point me using smarty when all my presentation logic is driven by xslt... But I will definately have a look into the tokenizer functions in more detail...

  13. #13
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Andrew-J2000
    I'm not so sure, the only way I can see it being dangerous is if I code it poorly, which means I must include every function, which can be maliciously used. What do you think?
    You should post a list of functions you're going to disallow - we may think of some you don't

    BTW - don't forget backticks

    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  14. #14
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by seanf
    You should post a list of functions you're going to disallow - we may think of some you don't

    BTW - don't forget backticks

    Sean

    I will list a few... thanks for reminding me about backticks, never thought about that...

    i've added quite a few however I still need to go though the rest of the funtions

    apache_child_terminate apache_lookup_uri apache_note apache_request_headers apache_response_headers apache_setenv virtual aspell_check_raw aspell_check aspell_new aspell_suggest

    bcadd bccomp bcdiv bcmod bcmul bcpow bcpowmod bcscale bcsqrt bcsubbzclose bzcompress bzdecompress bzerrno bzerror bzerrstr bzflush bzopen bzread bzwriteccvs_add ccvs_auth ccvs_command ccvs_count ccvs_delete ccvs_done ccvs_init ccvs_lookup ccvs_new ccvs_report ccvs_return ccvs_reverse ccvs_sale ccvs_status ccvs_textvalue ccvs_void

    COM VARIANT com_addref com_get com_invoke com_isenum com_load_typelib com_load com_propget com_propput com_propset com_release com_set

    ClibPDF

    crack_check crack_closedict crack_getlastmessage crack_opendict
    cybercash_base64_decode cybercash_base64_encode cybercash_decr cybercash_encr
    cybermut_creerformulairecm cybermut_creerreponsecm
    cybermut_testmac
    cyrus_authenticate
    cyrus_bind cyrus_close cyrus_connect cyrus_query cyrus_unbind
    ctype_alnum ctype_alpha ctype_cntrl ctype_digit ctype_graph ctype_lower ctype_print ctype_punct ctype_space ctype_upper ctype_xdigitdba_close dba_delete dba_exists dba_fetch dba_firstkey dba_handlers dba_insert dba_list dba_nextkey dba_open dba_optimize dba_popen dba_replace dba_syncdbase_add_record dbase_close dbase_create dbase_delete_record dbase_get_record_with_names dbase_get_record dbase_numfields dbase_numrecords dbase_open dbase_pack dbase_replace_record
    dblist dbmclose dbmdelete dbmexists dbmfetch dbmfirstkey dbminsert dbmnextkey dbmopen dbmreplace
    dbx_close dbx_compare dbx_connect dbx_error dbx_escape_string dbx_query dbx_sort

    dbplus_add
    dbplus_aql dbplus_chdir dbplus_close dbplus_curr dbplus_errcode dbplus_errno dbplus_find dbplus_first dbplus_flush dbplus_freealllocks dbplus_freelock dbplus_freerlocks dbplus_getlock dbplus_getunique dbplus_info dbplus_last dbplus_lockrel dbplus_next dbplus_open dbplus_prev dbplus_rchperm dbplus_rcreate dbplus_rcrtexact dbplus_rcrtlike dbplus_resolve dbplus_restorepos dbplus_rkeys dbplus_ropen dbplus_rquery dbplus_rrename dbplus_rsecindex dbplus_runlink dbplus_rzap dbplus_savepos dbplus_setindex dbplus_setindexbynumber dbplus_sql dbplus_tcl dbplus_tremove dbplus_undo dbplus_undoprepare dbplus_unlockrel dbplus_unselect dbplus_update dbplus_xlockrel dbplus_xunlockrel
    dio_close dio_fcntl dio_open dio_read dio_seek dio_stat dio_tcsetattr dio_truncate dio_writechdir chroot dir closedir getcwd opendir readdir rewinddir ( I may have missed a few functions out in ths section for the domxml functions...)
    domxml_new_doc

    dotnet_load

    (all error logging will be done by me...)

    debug_backtrace error_log error_reporting restore_error_handler set_error_handler trigger_error user_error
    fbsql_affected_rows fbsql_autocommit fbsql_change_user fbsql_close fbsql_commit fbsql_connect fbsql_create_blob fbsql_create_clob fbsql_create_db fbsql_data_seek fbsql_database_password fbsql_database fbsql_db_query fbsql_db_status fbsql_drop_db fbsql_errno fbsql_error fbsql_fetch_array fbsql_fetch_assoc fbsql_fetch_field fbsql_fetch_lengths fbsql_fetch_object fbsql_fetch_row fbsql_field_flags fbsql_field_len fbsql_field_name fbsql_field_seek fbsql_field_table fbsql_field_type fbsql_free_result fbsql_get_autostart_info fbsql_hostname fbsql_insert_id fbsql_list_dbs fbsql_list_fields fbsql_list_tables fbsql_next_result fbsql_num_fields fbsql_num_rows fbsql_password fbsql_pconnect fbsql_query fbsql_read_blob fbsql_read_clob fbsql_result fbsql_rollback fbsql_select_ fbsql_set_lob_mode fbsql_set_transaction fbsql_start_db fbsql_stop_db fbsql_tablename fbsql_username fbsql_warningsfilepro_fieldcount filepro_fieldname filepro_fieldtype filepro_fieldwidth filepro_retrieve filepro_rowcount filepro
    basename
    chgrp chmod chown clearstatcache copy

    //sort



    delete -- See unlink() or unset() disk_free_space -- Returns available space in directory disk_total_space -- Returns the total size of a directory diskfreespace -- Alias of disk_free_space() fclose -- Closes an open file pointer feof -- Tests for end-of-file on a file pointer fflush -- Flushes the output to a file fgetc -- Gets character from file pointer fgetcsv -- Gets line from file pointer and parse for CSV fields fgets -- Gets line from file pointer fgetss -- Gets line from file pointer and strip HTML tags file_exists -- Checks whether a file exists file_get_contents -- Reads entire file into a string file -- Reads entire file into an array fileatime -- Gets last access time of file filectime -- Gets inode change time of file filegroup -- Gets file group fileinode -- Gets file inode filemtime -- Gets file modification time fileowner -- Gets file owner fileperms -- Gets file permissions filesize -- Gets file size filetype -- Gets file type flock -- Portable advisory file locking fnmatch -- Match filename against a pattern fopen -- Opens file or URL fpassthru -- Output all remaining data on a file pointer fputs -- Writes to a file pointer fread -- Binary-safe file read fscanf -- Parses input from a file according to a format fseek -- Seeks on a file pointer fstat -- Gets information about a file using an open file pointer ftell -- Tells file pointer read/write position ftruncate -- Truncates a file to a given length fwrite -- Binary-safe file write glob -- Find pathnames matching a pattern is_dir -- Tells whether the filename is a directory is_executable -- Tells whether the filename is executable is_file -- Tells whether the filename is a regular file is_link -- Tells whether the filename is a symbolic link is_readable -- Tells whether the filename is readable is_uploaded_file -- Tells whether the file was uploaded via HTTP POST is_writable -- Tells whether the filename is writable is_writeable -- Tells whether the filename is writable link -- Create a hard link linkinfo -- Gets information about a link lstat -- Gives information about a file or symbolic link mkdir -- Makes directory move_uploaded_file -- Moves an uploaded file to a new location parse_ini_file -- Parse a configuration file pathinfo -- Returns information about a file path pclose -- Closes process file pointer popen -- Opens process file pointer readfile -- Outputs a file readlink -- Returns the target of a symbolic link realpath -- Returns canonicalized absolute pathname rename -- Renames a file rewind -- Rewind the position of a file pointer rmdir -- Removes directory set_file_buffer -- Alias of stream_set_write_buffer() stat -- Gives information about a file symlink -- Creates a symbolic link tempnam -- Create file with unique file name tmpfile -- Creates a temporary file touch -- Sets access and modification time of file umask -- Changes the current umask unlink -- Deletes a file





    [edit]

    sitepoint modified the formating, so I will have to go through it later so you can read it easier...
    Last edited by Andrew-J2000; Mar 7, 2003 at 20:25.

  15. #15
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    dear Lord.

    don't forget people can do variable functions (if that's what they're called) to get around your "safeguards":

    PHP Code:
    <?php

    // Let's run eval()!
    $func 'ev' 'al';
    $func('Nasty code here');

    ?>
    - Matt ** Ignore old signature for now... **
    Dr.BB - Highly optimized to be 2-3x faster than the "Big 3."
    "Do not enclose numeric values in quotes -- that is very non-standard and will only work on MySQL." - MattR

  16. #16
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DR_LaRRY_PEpPeR
    dear Lord.

    don't forget people can do variable functions (if that's what they're called) to get around your "safeguards":

    PHP Code:
    <?php 
     
    // Let's run eval()! 
    $func 'ev' 'al'
    $func('Nasty code here'); 
     
    ?>
    I just noticed this in the PHP 4.3.2RC1

    - Added "disable_classes" php.ini option to allow administrators to disable
    certain classes for security reasons. (Harald)

  17. #17
    SitePoint Addict sojomy's Avatar
    Join Date
    Jul 2002
    Location
    Dallas, TX
    Posts
    349
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Phil.Roberts
    If you're a professional host then you should know how to safeguard your server without resorting to crippling your PHP installation. All that will do is drive your users away.
    I know that this thread is old, but I've been searching the internet for 4 days and I can't find any help. I'm not a professional host, but I do have a server that hosts 5 or 6 of our internal websites (that only I have coding access to) as well as 3 or 4 customer websites the the end users have coding control of.

    The server is Windows 2000 Pro running Apache, PHP (as a CGI) and MySQL.
    All of the websites have access to PHP and apache is being run as a system service. I figured out how to restrict database access per user, but I am TOTALLY lost on how to protect the server from users "playing" with PHP. How can I stop the 3 or 4 customers from running things like
    PHP Code:
    exec("Delete c:\*.*"
    or something similar, or worse? More importantly, how do I restrict these users without crippling my own access?

    I am totally lost. I don't know if I'm supposed to restrict users via PHP or in my Apache setup or even with Windows 2000 security. I don't even know where to look because I don't even know what to look for. If anyone out there, a professional hosting person with experience maybe, has any help or leads, I'd greatly appreciate it. Also, like I said, I'm hosting on Windows 2000 Pro, so although help with security on linux might be interesting to know, I really do need to know if there's any windows 2000 specific security methods.

    Thanks in advance (even though I'll thank you after I get help too).


    Oh, and if anyone thinks that replying with nothing but "Why don't you just search google?" is helpful, please, don't bother replying. That has got to be my second biggest pet peeve on these forums - second only to the people who do "Bump " 10 minutes after the original post. Sorry, had to vent


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •