Is file access restricted to Filesystem functions?
Posted: Thu Mar 13, 2008 12:18 pm
I'm writing a PHPSandbox class that allows evaluating of PHP Code with certain restrictions on which functions/classes can be accessed, something like a more secure version of eval().
Now, I know that if I disable access to all mysql_* functions I will be restricting MySQL database access, and if I restrict other PHP extension-sepcific functions that particular functionality will be dissabled.
However, when I think of functions that come under more general categories, like string functions, array functions, filesystem functions, etc. I dont know whether these are unique. String and array handling is not a threat but Im more worried about filesystem functions.
That is to say, if I pick each of the functions under the category PHP: Filesystem Functions, and disable their use, will I be guarenteed that a malicious user cannot read/write arbitrary files? Or are there other extensions in PHP or other categories of functions which offer similar access? If so, which ones? Or is my entire approach fundamentally wrong?
Now, I know that if I disable access to all mysql_* functions I will be restricting MySQL database access, and if I restrict other PHP extension-sepcific functions that particular functionality will be dissabled.
However, when I think of functions that come under more general categories, like string functions, array functions, filesystem functions, etc. I dont know whether these are unique. String and array handling is not a threat but Im more worried about filesystem functions.
That is to say, if I pick each of the functions under the category PHP: Filesystem Functions, and disable their use, will I be guarenteed that a malicious user cannot read/write arbitrary files? Or are there other extensions in PHP or other categories of functions which offer similar access? If so, which ones? Or is my entire approach fundamentally wrong?