Page 2 of 2

Posted: Fri Oct 15, 2004 8:00 am
by timvw
there is a php validator too... which only validates the code, but does not execute it.... will try to find url to the project ;)




http://pear.php.net/package/PHP_Parser

Posted: Fri Oct 15, 2004 8:06 am
by m3mn0n
kettle_drum wrote:But you must still assume that all users are out to get you and are stupid - a trusted user could do just as much damage by accident as a hacker could.
But in a controlled environment such as the ones I mentioned, it would be very easy to track and confront anyone who did something remotely dangerous.

What would be needed is:

1. script entry logging, to see who ran what and at what time
2. detailed remote user logging (host/isp/user agent/time)
3. function detection, so functions like:

[php_man]unlink()[/php_man]
[php_man]exec()[/php_man]
[php_man]system()[/php_man]
[php_man]ini_set()[/php_man]
[php_man]highlight_file()[/php_man]
and etc cannot execute.

Posted: Fri Oct 15, 2004 1:21 pm
by kettle_drum
But its still only a computer, passwords can often easily be guessed, and so you cant assume that the person is who you think it is. And once you get access to the system it doesnt matter how much you log.

By creating a php file that you can get to on the web you can have anything run - create a file with exec() in and have it saved - then its not executing it in the current script, but when you visit that page. Make this script include some this code in hex and have it decode it before eval()ing it and the script doesnt even see that your adding a exec() to the file.

There is no safe way to have this done, and i would just us such a validater as tim suggests.

Posted: Fri Oct 15, 2004 2:36 pm
by tchenowe
Thanks for all the input. I like the idea of writting the user input to a file and then executing the file. I assume either exec() or system() will do that (I'll research that). I think this would give me more control over the errors that the students' scripts cause (and the corresponding feedback I give them). I'm also going to check out Tim's parser.

Again, I appreciate all of your input. However you all need to keep in mind that I am talking about an educational environment, not a production environment. Currently, my students can place anything they want into a script, load it onto the class server and run it. I mean, infinit loops are fact of life for me. They happen all the time. I really don't see how what I am proposing is more dangerous than my current system. In fact, it is probably safer since I will have at least some control over what my students are doing, which I don't have now.

Plus, I will do this in a moduler fashion. For instance, many of my students struggle with arrays (especially associative arrays). So my first module will probably deal with arrays, and I will restrict the functions I allow to only those that manipulate arrays. This design along with password protecting the system should make it safe enough for my purposes.

Posted: Sat Oct 16, 2004 6:01 am
by dethron
what a teacher, wow, great.

Posted: Sat Oct 16, 2004 7:23 am
by m3mn0n
tchenowe wrote:However you all need to keep in mind that I am talking about an educational environment, not a production environment. Currently, my students can place anything they want into a script, load it onto the class server and run it. I mean, infinit loops are fact of life for me. They happen all the time. I really don't see how what I am proposing is more dangerous than my current system. In fact, it is probably safer since I will have at least some control over what my students are doing, which I don't have now.
Yeah I figured that much when I wrote my last post.


Well good luck with whatever option you choose to take.

Posted: Sat Oct 16, 2004 2:36 pm
by timvw
Assuming you have the PEAR package PHP_Parser installed:

Code: Select all

<?php 

// +---------------------------------------------------------------------------
// | phpparser.php
// |
// | Author: Tim Van Wassenhove <timvw@users.sourceforge.net>
// | Update: 2004-10-16 19:56
// |
// | A little script that will accept a php sourcecode, and parse it.
// | Makes use of the PEAR PHP_Parser (http://pear.php.net/package/PHP_Parser)
// +---------------------------------------------------------------------------
require_once('PHP/Parser.php');

// test if a file was posted
if (array_key_exists('codefile', $_FILES))
{
    $result = PHP_Parser::parseFile($_FILES['codefile']['tmp_name']);
    
    // test if no errors where raised while parsing
    if (PEAR::isError($result))
    {
        echo "Code is invalid: ";
        echo $result->getMessage();
    }
    else
    {
        echo "Code is valid.<br />";
        echo highlight_file($_FILES['codefile']['tmp_name']);
    }
}

?>

<form enctype="multipart/form-data" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
Send this file: <input name="codefile" type="file" />
<input type="submit" value="Validate Code" />
</form>

Posted: Sat Oct 16, 2004 4:52 pm
by Steveo31
You could just make a function that will remove keywords such as unlink, unset, etc. Kinda like one of those SQL-injection preventors or "bad word" filters. Be kinda fun to make I think. If it's under control and is very secure, i.e. passwords, htaccess, etc, then I don't see much of a problem.

Posted: Sat Oct 16, 2004 7:50 pm
by tchenowe
Thanks for the code snippet Tim. By the way, how stable is the parser? From what I read at the pear web sight it sounds like it is still in the development stage. However, it also looked like its been a while since that had been updated.

Posted: Sat Oct 16, 2004 8:33 pm
by dimitris
Phenom wrote:
potsed wrote:wouldnt that have huge security issues??
Boy would I have lots of fun with this :) You are right it is a MAJOR security issue.
Definitely this could allow everything! :!:

Posted: Sun Oct 17, 2004 6:12 am
by timvw
tchenowe wrote:Thanks for the code snippet Tim. By the way, how stable is the parser? From what I read at the pear web sight it sounds like it is still in the development stage. However, it also looked like its been a while since that had been updated.
as they say themselves, it's in "devel" status. devel < alpha < beta < stable


i've noticed it says there are errors, although the script itself seems to work.

Posted: Sun Oct 17, 2004 11:08 am
by tchenowe
OK Tim. I'll keep that in mind while I play with it. Thanks again.