Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58683
Return-Path: <keisial@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67873 invoked from network); 6 Mar 2012 21:16:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Mar 2012 21:16:36 -0000
Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.170 as permitted sender)
X-PHP-List-Original-Sender: keisial@gmail.com
X-Host-Fingerprint: 209.85.212.170 mail-wi0-f170.google.com  
Received: from [209.85.212.170] ([209.85.212.170:61783] helo=mail-wi0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DF/0D-32184-3BE765F4 for <internals@lists.php.net>; Tue, 06 Mar 2012 16:16:36 -0500
Received: by wibhj13 with SMTP id hj13so2837895wib.29
        for <internals@lists.php.net>; Tue, 06 Mar 2012 13:16:33 -0800 (PST)
Received-SPF: pass (google.com: domain of keisial@gmail.com designates 10.216.133.39 as permitted sender) client-ip=10.216.133.39;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of keisial@gmail.com designates 10.216.133.39 as permitted sender) smtp.mail=keisial@gmail.com; dkim=pass header.i=keisial@gmail.com
Received: from mr.google.com ([10.216.133.39])
        by 10.216.133.39 with SMTP id p39mr9420457wei.40.1331068593025 (num_hops = 1);
        Tue, 06 Mar 2012 13:16:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=YwJhVQ/wn4Xy8atxaJKpzwek8UN0sSp4EwAi19DIP8I=;
        b=AFf8O1zDEyD9yBDh2f7JgSC8PGVmhsy6dHuo0RGAz3cv4YOAYKpJSrXj/Y8fzQM82e
         HXJF9ZGJXCKJJ1b/GGvNC1e182/R+k1zEuZETYIb5noXx/SzqnDXYQRmLz+Y7RG91TBs
         kvJsbjW9fcM2Lm+z0Ewjswjw1EBSa4jnAwEB88woW4+uk0bE226scBmIhTzEvOKwy6ce
         UwZGcLt1CfpXyCVIAPjKQRD111FyyKfdu9WISXj5li9EuB4mcIyZxh8qSnJ4DZV3fIMc
         HTUIfcPHJJwnTu5r4B+tmHdPdFgVHfhIQOUkiSuiw1YFvf+jl3TJ7yJqEUB8tJh9hCM1
         HQ5w==
Received: by 10.216.133.39 with SMTP id p39mr7482317wei.40.1331068592917;
        Tue, 06 Mar 2012 13:16:32 -0800 (PST)
Received: from [192.168.1.26] (86.red-80-28-65.adsl.dynamic.ccgg.telefonica.net. [80.28.65.86])
        by mx.google.com with ESMTPS id ep17sm29856292wid.2.2012.03.06.13.16.30
        (version=SSLv3 cipher=OTHER);
        Tue, 06 Mar 2012 13:16:31 -0800 (PST)
Message-ID: <4F567FD9.2050609@gmail.com>
Date: Tue, 06 Mar 2012 22:21:29 +0100
User-Agent: Thunderbird
MIME-Version: 1.0
To: Adam Jon Richardson <adamjonr@gmail.com>
CC: Stas Malyshev <smalyshev@sugarcrm.com>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAJzDObekVt_F6JZP-B-YCs0khvfcSDW1PNeC6Bf5LUk=xPqVAQ@mail.gmail.com> <4F55DB1F.5040108@sugarcrm.com> <CAJzDObcwd6KMSNvJa8mui0QGiof+BEMoJ2WuGEq09uN+yc4n+g@mail.gmail.com>
In-Reply-To: <CAJzDObcwd6KMSNvJa8mui0QGiof+BEMoJ2WuGEq09uN+yc4n+g@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Providing sandboxed versions of include and require
 language constructs
From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=)

On 06/03/12 14:04, Adam Jon Richardson wrote:
> The sandbox I'm considering would only impact the ability to directly call
> internal functions. The idea rests on the hope that the framework or CMS
> provides a security model that protects the integrity of their own
> environment. The framework can for example hand off whatever state
> variables are deemed appropriate and necessary to a plugin. The framework
> can make public whatever methods are appropriate and necessary. However,
> the framework can't currently limit the direct calls to internal functions
> (without parsing the PHP source and it's dependencies), which could allow
> the plugin developer to circumvent the security policies of the framework.
>
> Indeed, the complexity is extreme, even for the limited scope of this idea.
> And, avoiding complexity for the developers using the sandboxed version
> would be difficult, too.
>
> I'm wondering if it would be easier to allow constants representing entire
> classes of functionality. For example:
>
> include_restricted('file/path', $whitelist = array('SANDBOX_FILE',
> 'SANDBOX_PDO', 'SANDBOX_MYSQL', 'SANDBOX_SOCKET'));
>
> If an error was raised because an included file required additional access,
> the error message could detail the exact constant(s) that would have to be
> whitelisted for the include to be allowed.
>
> Thank you for the feedback, Stas. The questions and concerns raised in this
> discussion help considerably.
>
> Adam
It's not that easy. The internal functions could be splitted to
safe/unsafe (according
tosome definition, which would itself be a controversial one) but all
functions defined
outside would be injection candidates, too. Suppose you modified the
function
hash table to store if it's a limited function or it should be run with
high privileges.
Now, you need to audit the whole framework so that no can be tricked
into doing more
things than it should, if called from low-privilege code.
Which is pretty hard when that code could be corrupting your variables.
For instance, a safe framework function to perform database queries,
could become
unsafe by changing the db configuration (usually stored on globals),
allowing connections
to arbitrary servers.
Or a malicious plugin could register a class with the same name as a
framework one, before
the autoloader loads the right one, and have it used by privileged code.

PHP is not designed to use it that way, so unless there is an high level
way to do it, it's probably
impossible to do right. Maybe you can perform a full global replacement
when calling
untrusted code. That might work.