Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58660
Return-Path: <adamjonr@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 86179 invoked from network); 6 Mar 2012 13:04:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Mar 2012 13:04:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=adamjonr@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=adamjonr@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender)
X-PHP-List-Original-Sender: adamjonr@gmail.com
X-Host-Fingerprint: 209.85.214.170 mail-tul01m020-f170.google.com  
Received: from [209.85.214.170] ([209.85.214.170:34444] helo=mail-tul01m020-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8B/CF-34145-A4B065F4 for <internals@lists.php.net>; Tue, 06 Mar 2012 08:04:11 -0500
Received: by obbwd1 with SMTP id wd1so6261164obb.29
        for <internals@lists.php.net>; Tue, 06 Mar 2012 05:04:08 -0800 (PST)
Received-SPF: pass (google.com: domain of adamjonr@gmail.com designates 10.182.38.7 as permitted sender) client-ip=10.182.38.7;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of adamjonr@gmail.com designates 10.182.38.7 as permitted sender) smtp.mail=adamjonr@gmail.com; dkim=pass header.i=adamjonr@gmail.com
Received: from mr.google.com ([10.182.38.7])
        by 10.182.38.7 with SMTP id c7mr9627962obk.44.1331039048410 (num_hops = 1);
        Tue, 06 Mar 2012 05:04:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=f/DALnF2i9vDMxvVcEHD7kCrR32VFvCSkqhdyMu8Wgs=;
        b=uvg3GubMfBT+SjjOmhcp79LsDAVVLejhx6KCc9YSD8n436kH0cC86aA0C2afuRKOrO
         JaRrwsi35BgAj+CiOzeafKLO2yPNfg4pw2XoJQ2cLmYXsA4oQwOTSwK33FQQ8th4t2ZF
         v/2Z2GQ6tAQzfAI4tFl+ux8bF0a+ODvNXHRuTvt3IxFrKjifIxgi4KTYZ5dqR310GzM9
         Yi0bouhpykWDjkJlR7WWaaMZtj/3SM3GJGsGp/NNLGl77Fl31fEDsJH9BbEt/ucoOtGT
         a5ld7yVNjaBdKo2YtHqUtQfO0hGJD2qO3LAXG3RG0lG1VS7lg11+iqHjdfGZZs34F1TQ
         7Pvg==
MIME-Version: 1.0
Received: by 10.182.38.7 with SMTP id c7mr8494193obk.44.1331039048357; Tue, 06
 Mar 2012 05:04:08 -0800 (PST)
Received: by 10.182.19.104 with HTTP; Tue, 6 Mar 2012 05:04:08 -0800 (PST)
In-Reply-To: <4F55DB1F.5040108@sugarcrm.com>
References: <CAJzDObekVt_F6JZP-B-YCs0khvfcSDW1PNeC6Bf5LUk=xPqVAQ@mail.gmail.com>
	<4F55DB1F.5040108@sugarcrm.com>
Date: Tue, 6 Mar 2012 08:04:08 -0500
Message-ID: <CAJzDObcwd6KMSNvJa8mui0QGiof+BEMoJ2WuGEq09uN+yc4n+g@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=f46d0447f28ca8d67004ba92ad39
Subject: Re: [PHP-DEV] Providing sandboxed versions of include and require
 language constructs
From: adamjonr@gmail.com (Adam Jon Richardson)

--f46d0447f28ca8d67004ba92ad39
Content-Type: text/plain; charset=ISO-8859-1

On Tue, Mar 6, 2012 at 4:38 AM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:

> Hi!
>
>  Thoughts?
>>
>
> This is a fine idea, however actually doing it is not that easy. Note that
> knowing which function is "safe" is pretty hard, but that's only a start.
> Plugin code, for example, can call functions outside plugin context, while
> passing all kinds of arguments - is it safe or not? It depends on the
> context - e.g. plugin may need access to the database - directly or through
> some API - but that opens the door to various SQL injections and other
> mischief, etc. etc.
> So while the idea is fine, designing a working sandbox is a very
> complicated task. That said, if you have any ideas - you're welcome to
> propose.


The sandbox I'm considering would only impact the ability to directly call
internal functions. The idea rests on the hope that the framework or CMS
provides a security model that protects the integrity of their own
environment. The framework can for example hand off whatever state
variables are deemed appropriate and necessary to a plugin. The framework
can make public whatever methods are appropriate and necessary. However,
the framework can't currently limit the direct calls to internal functions
(without parsing the PHP source and it's dependencies), which could allow
the plugin developer to circumvent the security policies of the framework.

Indeed, the complexity is extreme, even for the limited scope of this idea.
And, avoiding complexity for the developers using the sandboxed version
would be difficult, too.

I'm wondering if it would be easier to allow constants representing entire
classes of functionality. For example:

include_restricted('file/path', $whitelist = array('SANDBOX_FILE',
'SANDBOX_PDO', 'SANDBOX_MYSQL', 'SANDBOX_SOCKET'));

If an error was raised because an included file required additional access,
the error message could detail the exact constant(s) that would have to be
whitelisted for the include to be allowed.

Thank you for the feedback, Stas. The questions and concerns raised in this
discussion help considerably.

Adam

--f46d0447f28ca8d67004ba92ad39--