Is file access restricted to Filesystem functions?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Verminox
Forum Contributor
Posts: 101
Joined: Sun May 07, 2006 5:19 am

Is file access restricted to Filesystem functions?

Post by Verminox »

I'm writing a PHPSandbox class that allows evaluating of PHP Code with certain restrictions on which functions/classes can be accessed, something like a more secure version of eval().

Now, I know that if I disable access to all mysql_* functions I will be restricting MySQL database access, and if I restrict other PHP extension-sepcific functions that particular functionality will be dissabled.

However, when I think of functions that come under more general categories, like string functions, array functions, filesystem functions, etc. I dont know whether these are unique. String and array handling is not a threat but Im more worried about filesystem functions.

That is to say, if I pick each of the functions under the category PHP: Filesystem Functions, and disable their use, will I be guarenteed that a malicious user cannot read/write arbitrary files? Or are there other extensions in PHP or other categories of functions which offer similar access? If so, which ones? Or is my entire approach fundamentally wrong?
www.WeAnswer.IT
Forum Newbie
Posts: 24
Joined: Wed Mar 19, 2008 6:33 pm

Re: Is file access restricted to Filesystem functions?

Post by www.WeAnswer.IT »

You're not wrong, but you're probably biting off more than you can choose.

PHP has a LOT (thousands and thousands) of functions, and trying to go through and figure out which ones are safe and which ones are dangerous would be nearly impossible, unless you had very tight control over which extensions PHP is loading with.

This is what you would need to know in order to do what you want:
1. What extensions your copy of PHP is loading
2. Every function that you have access to (probably several thousand!)
3. Which ones are dangeorus
4. Some way to remove all the dangerous functions without bogging down your server

In general, allowing anyone to use a PHP "sandbox" on your server is ridiculously dangerous! If people want a sandbox, they can install XAMPP or Vertrigo or EasyPHP.
Post Reply