Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58641
Return-Path: <adamjonr@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 41350 invoked from network); 6 Mar 2012 07:34:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Mar 2012 07:34:16 -0000
Authentication-Results: pb1.pair.com smtp.mail=adamjonr@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=adamjonr@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender)
X-PHP-List-Original-Sender: adamjonr@gmail.com
X-Host-Fingerprint: 209.85.214.170 mail-tul01m020-f170.google.com  
Received: from [209.85.214.170] ([209.85.214.170:40411] helo=mail-tul01m020-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A5/27-34145-8FDB55F4 for <internals@lists.php.net>; Tue, 06 Mar 2012 02:34:16 -0500
Received: by obbwd1 with SMTP id wd1so5934752obb.29
        for <internals@lists.php.net>; Mon, 05 Mar 2012 23:34:13 -0800 (PST)
Received-SPF: pass (google.com: domain of adamjonr@gmail.com designates 10.182.36.99 as permitted sender) client-ip=10.182.36.99;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of adamjonr@gmail.com designates 10.182.36.99 as permitted sender) smtp.mail=adamjonr@gmail.com; dkim=pass header.i=adamjonr@gmail.com
Received: from mr.google.com ([10.182.36.99])
        by 10.182.36.99 with SMTP id p3mr8526013obj.74.1331019253291 (num_hops = 1);
        Mon, 05 Mar 2012 23:34:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=O5utiA+4i6SzBnqIVwyKFEtGal/S93gocwjBNUFBAIk=;
        b=rjpqBiGfGrfZcxF+U/ZOgdjgoLJv2PmfvSlA8CDwPl4ES2fHXuWJR2FB+13aFtbEaa
         PaaDx5Kyb9VPBRnbWYUh9SixzH63Dor0tiGt+3709H+9VNCnmTvvFSFkbPGp9mbVMChf
         TIWKrLxcMiqGPxpRQcdrFCLybFGm5F4AdlDSiGWEXt9Q9aXg5OGOulNBKWmTmiTQ5vPY
         2bdTChAKF4IHD6ADsB+cD+qQjxaq5mYvgMY1kKXjYBx209uUzs2nVewjHik57u5Ktx2n
         TmtFChRMJw3iX/ONOHWj+IlmKDkf5NSQag/JdE1ywH42KgSDg/djT3V5qiZTe0NiOo7L
         bGGA==
MIME-Version: 1.0
Received: by 10.182.36.99 with SMTP id p3mr7516184obj.74.1331019253196; Mon,
 05 Mar 2012 23:34:13 -0800 (PST)
Received: by 10.182.19.104 with HTTP; Mon, 5 Mar 2012 23:34:13 -0800 (PST)
Date: Tue, 6 Mar 2012 02:34:13 -0500
Message-ID: <CAJzDObekVt_F6JZP-B-YCs0khvfcSDW1PNeC6Bf5LUk=xPqVAQ@mail.gmail.com>
To: internals@lists.php.net
Content-Type: multipart/alternative; boundary=f46d04451787c6a93704ba8e118d
Subject: Providing sandboxed versions of include and require language constructs
From: adamjonr@gmail.com (Adam Jon Richardson)

--f46d04451787c6a93704ba8e118d
Content-Type: text/plain; charset=ISO-8859-1

Plugins are a big deal (see
http://oneofmanyworlds.blogspot.in/2012/03/difficult-decision.html for a
recent example.) In this era of mashups and breakneck innovation,
developers must rely on vast amounts of code they've never seen, let alone
audited. Wordpress, Drupal, and many other tools developed in PHP make
plugin development easy and extremely powerful. While these tools
constantly work to improve security (and, at least relatively, do a solid
job most of the time), there remains significant challenges due to globally
accessible functions that allow manipulation of the environment (files,
DB's, networking, etc.) Any plugin can use these global functions to work
around the security restrictions imposed by the framework, library, or CMS.

While code audits can locate the offending scripts, this is a challenging
task, both in terms of time AND abilities. Languages and/or environments
that can mitigate these issues for the developer, while far from fool
proof, do offer real value on the security front. Lua provides the ability
for developers to limit the functions available in the current environment:
http://lua-users.org/wiki/SandBoxes

PHP does have an extension that offers several forms of sandboxing: runkit.
However, it's often not available in shared host environments.

The include (and require) construct is the front door for any plugin code.
What if PHP offered functions that implemented sandboxed versions of the
include and require language constructs (e.g.,
included_restricted('file/path', $functions = array('file',
'file_get_contents')))? Functional specs could include:

1) Internal functions seen as universally safe would by default be allowed
(e.g, str_replace(), array_pop(), etc.)
2) Unsafe internal functions would have to be explicitly declared (e.g.,
file(), stream_*, etc.)
3) Any includes or requires within the sandboxed code would be forced to
meet the same restrictions. (tricky)
4) Code containing unsafe functions not included in the whitelist would
raise an error.

There would be a performance hit for code that actually used the sandboxed
functions to include scripts, but for many applications, I suspect this
would be worth the hit. Security is becoming more important by the day
(just ask github: http://homakov.blogspot.com/2012/03/how-to.html#), and
empowering the developer with tools to enforce greater restrictions on the
ever-growing heaps of unaudited code seems wise.

Thoughts?

Adam

--f46d04451787c6a93704ba8e118d--