Detecting Function Calls
Moderator: General Moderators
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Detecting Function Calls
If your on a shared host, your pretty much hosed...very little you can do...
Short of parsing any cusotm modules uploaded -- before they are processed by your framework/application/whatever and possibly removing or stubbing them out with wrapper functions.
Short of parsing any cusotm modules uploaded -- before they are processed by your framework/application/whatever and possibly removing or stubbing them out with wrapper functions.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Detecting Function Calls
Finally a noteworthy suggestion, thanks!PCSpectra wrote:Short of parsing any cusotm modules uploaded
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Detecting Function Calls
I've built a few CMS in my time so I can only guess at what your trying to accomplish. 
What I have done in the past (quite hackishly) was use token_get_all() and searched for restricted functions and replaced them with a funciton of the same name but prefixed with an 'underscore' -- the stubbed functions are invoked and calls can be logged, trigger alerts for a system admin, etc.
EDIT | Not sure about security of such an approach. If you dynamically construct the name of a function I think your pretty much screwed without runkit extension.
What I have done in the past (quite hackishly) was use token_get_all() and searched for restricted functions and replaced them with a funciton of the same name but prefixed with an 'underscore' -- the stubbed functions are invoked and calls can be logged, trigger alerts for a system admin, etc.
EDIT | Not sure about security of such an approach. If you dynamically construct the name of a function I think your pretty much screwed without runkit extension.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Detecting Function Calls
I see.PCSpectra wrote:I've built a few CMS in my time so I can only guess at what your trying to accomplish.
Don't worry, I know what I am doing nowPCSpectra wrote:If you dynamically construct the name of a function I think your pretty much screwed without runkit extension.
Btw, how would you go for tokenizing functions inside a file? First strip out comments, then replace \s+ with one space and then look for a function-like pattern?
Re: Detecting Function Calls
Doesnt smarty allow users to run whitelisted code? I believe it has a method for proxying function calls, actual PHP does not run within the template. You could also "embed" the PHP parser, I don't think regular expressions are going to cut it.
For instance how do you catch:
For instance how do you catch:
Code: Select all
$str = 'IeNxNeOcCent'; // ( "innocent" line of code )
$cmd = '';
for( $i =1; $i<=strlen(str);$i+=2)
$cmd .= $str[$i]; // calls exec() thru 'reflective' syntax
$cmd();
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Detecting Function Calls
No regex needed. You simply iterate the array of tokens until you find one that matches the function call you wish to stub/replace/rewrite. Re-assembling the code from the token list when complete.Btw, how would you go for tokenizing functions inside a file? First strip out comments, then replace \s+ with one space and then look for a function-like pattern?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Detecting Function Calls
Hmm yeah I guess that will do.PCSpectra wrote:No regex needed. You simply iterate the array of tokens until you find one that matches the function call you wish to stub/replace/rewrite. Re-assembling the code from the token list when complete.
@Josh: I am fighting against accidents, not cunning coders.
Re: Detecting Function Calls
Hmm that work but how do you get the tokens? Does PHP really have a feature like that without implementing as an extension? I guess a regex based solution would protected against "accidents" but you it wouldn't be sufficient for a "cunning programmer"PCSpectra wrote:No regex needed. You simply iterate the array of tokens until you find one that matches the function call you wish to stub/replace/rewrite. Re-assembling the code from the token list when complete.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Detecting Function Calls
http://ca.php.net/token_get_alljosh wrote:PCSpectra wrote:Does PHP really have a feature like that without implementing as an extension?
Re: Detecting Function Calls
Interesting, thanks.