Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124822 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id AF8181A00B7 for ; Wed, 7 Aug 2024 12:09:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1723032648; bh=jL8h4Arfshs5Vt89sobOcxT7+zueto3UYQfkDxJXkKQ=; h=Subject:From:To:Date:In-Reply-To:References:From; b=ajf1sXPDp4fhUyBUHtmNRNZcBmWo31K1KrwkVmbxgZ3K4siEiMlRIDnSKMlnn7V7e Z87BjrxiuniO7YK3Wc970BPX2SLWNlI5IutFbErVQuaICJ7Uno02VxlukUjYrhW3RE DTnyPO//8UsmMQ7hHJevIam/yBjOn8pUFUVGjsgbddEryHFe0AqbVf/fgjwFrZ+SN1 yURrwGwGw1y6XXU5K/DyuslyIJL2Hb+FsZQmcW0w/nGTmwdtfEmAoAPeAnO5DGZajp Zh+zEIjE8DMY/BkaEj5pNEwMgltvY8XRvYtSkmVfMm3IFfa14Vv/0XhrOi8r5xBneL XaQ1bsg+hwpsg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id E46C218004A for ; Wed, 7 Aug 2024 12:10:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from ageofdream.com (ageofdream.com [45.33.21.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 7 Aug 2024 12:10:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ageofdream.com; s=ageofdream; t=1723032544; bh=jL8h4Arfshs5Vt89sobOcxT7+zueto3UYQfkDxJXkKQ=; h=Subject:From:To:Date:In-Reply-To:References:From; b=yu93D4UccBZi3Y97Zh+q1mD8QaiF2AgwcKlYG+PaRT1pJhLOoH/8rmZsg0WKfFsXU meiFVxEx12T4qjCQZkb0faczSYeskkWDxIrbTp+QC5dhL9h4Pczpmv84PTIXYM7drm DNqT8leZQbsvbf1FPDDZgV7MZ/RQft7gG29f0/6+9wT/uDbm8O+bDqjx8vbtVCt3SN Rn3fp0vzsyKIaCIkkEo4Aq4PC1FwgTP6S29zqIJZxMwEqkI12FaxbOlhR9n6ixgl2j 5cGsG88FI56lpyqMcSmUFgE8FBcrj+nD/GIddzQeqinG3DhwIri36l7qODcqNZ2eLo dDzAjBdxjwl0g== Received: from [192.168.1.7] (unknown [72.255.193.122]) by ageofdream.com (Postfix) with ESMTPSA id 8AECE25086 for ; Wed, 7 Aug 2024 08:09:04 -0400 (EDT) Message-ID: Subject: Re: [PHP-DEV] [Discussion] Sandbox API To: internals@lists.php.net Date: Wed, 07 Aug 2024 08:09:04 -0400 In-Reply-To: References: <7d9a9752-a202-4099-a60a-2686d4265d96@gmail.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 From: lists@ageofdream.com (Nick Lockheart) > >=20 > > Introducing a sandbox API for security also opens up a can of worms > > for the security policy. Right now we are assuming an attacker > > model of a remote attacker, and that the code running on your > > server is trusted. But that would change when an official sandbox > > API is introduced. > >=20 > > Kind regards > > Niels > >=20 > Hey Niels, >=20 > I find this assertion kind of scary from a shared hosting perspective > or even from a 3v4l kind of perspective. How do these services > protect themselves if php is inherently insecure? >=20 > =E2=80=94 Rob So I was thinking about this a bit more and I thought, what if instead of adding a sandbox as a feature of PHP, what if PHP *was* the sandbox. So consider this: What if the PHP engine added a C API that lets C/C++ programs not only spin up and run PHP, but those C/C++ programs could also control and monitor the execution of the PHP environment from the outside. That would essentially make every instance of PHP a sandbox. But now, we would be able to control, monitor, and override certain behavior from the outside while script execution runs. This gives us a foundation to do two different things. ** Thing 1: A PHP extension for the PHP C API ** PHP's C API could then be controlled by a PHP script by using a PHP extension that uses the PHP API. This would allow PHP scripts to spin up and control instances of PHP, running in their own execution context. This meets the use case of Unit Testing scripts and secure execution of third party plugins by PHP applications. ** Thing 2: C/C++ programs could use PHP as a library ** With a comprehensive C API to PHP, we could build C/C++ applications that can use PHP scripts as a plugin. Let's consider a use case for a social media site or ecommerce platform that is high traffic and written in PHP. What if we moved the front controller logic to a C application that was built as an Nginx module? Nginx Modules are statically linked, so now our front controller, written in C, would be native inside Nginx, usable in location blocks. Thanks to the C API for PHP, our front-controller-as-Nginx-plugin can directly invoke parts of the PHP application as needed, and inject resources directly into the PHP environment. This isn't the same as a Fast CGI pass. This moves the routing, session setup, and other redundant code into a native C application that's actually part of the whole app. So you could route requests, setup sessions, and serve cached pages as fast as Nginx can process a request (about 1ms). When the C land front controller needs to invoke PHP, it invokes PHP through PHP's C API that lets the front controller pass data directly into the PHP instance. For example, the C front controller application can register a database class inside the PHP environment that's already primed with an open database connection (saves 20ms). Because the running PHP application is actually talking back and forth with the C land front controller, the C land front controller can remember things (including session details) for faster responses. This hybrid approach gives you the best of both worlds: Very fast response times for most requests because the front controller and sessions and other resources are handled in native C land, inside the web server, while also giving you the flexibility, ease of use, and rapid prototyping of PHP.