Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58699 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 93525 invoked from network); 6 Mar 2012 23:04:43 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Mar 2012 23:04:43 -0000 Authentication-Results: pb1.pair.com smtp.mail=adamjonr@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=adamjonr@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender) X-PHP-List-Original-Sender: adamjonr@gmail.com X-Host-Fingerprint: 209.85.214.170 mail-tul01m020-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:51660] helo=mail-tul01m020-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1D/92-15021-A08965F4 for ; Tue, 06 Mar 2012 18:04:42 -0500 Received: by obbwd1 with SMTP id wd1so6946418obb.29 for ; Tue, 06 Mar 2012 15:04:39 -0800 (PST) Received-SPF: pass (google.com: domain of adamjonr@gmail.com designates 10.60.12.230 as permitted sender) client-ip=10.60.12.230; Authentication-Results: mr.google.com; spf=pass (google.com: domain of adamjonr@gmail.com designates 10.60.12.230 as permitted sender) smtp.mail=adamjonr@gmail.com; dkim=pass header.i=adamjonr@gmail.com Received: from mr.google.com ([10.60.12.230]) by 10.60.12.230 with SMTP id b6mr8504781oec.54.1331075079714 (num_hops = 1); Tue, 06 Mar 2012 15:04:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OYb1f+XsxZK75JB+v8kQEZV+fnW7nyRrUGQbGKw6nls=; b=VggucdtOdfGR8pVTavak0E9gWL6Sf7VxzlxjAZMkjKtuX1Oqy52CrTQ4kUJUoJAhvf oYjjcJ0CGUXH4ExRY5zpC3O9ZIrIH0be6KqY7vKh9X+MG9aHHmzhc/TKW2POrU4aLEVR OpgVs6d9x743czA1ubtB0d1uYXkLAtQOeqRFVL4W0fGUSWRmgnVuFlYAATqQtydpZf7b T2ekcS4mjv6nJfg+WkGj9P3SsZKiY+sSsAkt4djfWjZL2zbSCgtdBvCo3lZhbkHWRhUp X4y3AgIBE2zlasG8c4vDJsz8ZQEgAiv48y9NfU+Tt+Q/gQtEnYG3lnRb3HPvWnMDYs3v SMgQ== MIME-Version: 1.0 Received: by 10.60.12.230 with SMTP id b6mr7499085oec.54.1331075079637; Tue, 06 Mar 2012 15:04:39 -0800 (PST) Received: by 10.182.19.104 with HTTP; Tue, 6 Mar 2012 15:04:39 -0800 (PST) In-Reply-To: <4F567FD9.2050609@gmail.com> References: <4F55DB1F.5040108@sugarcrm.com> <4F567FD9.2050609@gmail.com> Date: Tue, 6 Mar 2012 18:04:39 -0500 Message-ID: To: =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=e89a8ff1ce264a8c0604ba9b1110 Subject: Re: [PHP-DEV] Providing sandboxed versions of include and require language constructs From: adamjonr@gmail.com (Adam Jon Richardson) --e89a8ff1ce264a8c0604ba9b1110 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable 2012/3/6 =C1ngel Gonz=E1lez > On 06/03/12 14:04, Adam Jon Richardson wrote: > > The sandbox I'm considering would only impact the ability to directly > call... > It's not that easy. The internal functions could be splitted to > safe/unsafe (according > tosome definition, which would itself be a controversial one) Yes, perhaps controversial, but using an objective criterion like purity would aid the effort. > but all > functions defined > outside would be injection candidates, too. The idea I put forth would only deal with internal functions. Frameworks and CMS's would still be on-the-hook to validate incoming data and escape data according to context for all of the functions that they expose to the plugin/library. And this would still be very beneficial. As framework developer, I can validate the inputs coming into my API hooks and escape the outputs according to context. However, when plugin developers can call the internal functions and circumvent my protections, this is a more difficult issue to solve en masse. > Suppose you modified the > function > hash table to store if it's a limited function or it should be run with > high privileges. > I'm not promoting a privilege-based system of high and low privileges. Rather, I'm posing the possibility of limiting the access of included code to internal functions/objects. > Now, you need to audit the whole framework so that no can be tricked > into doing more > things than it should, if called from low-privilege code. > Which is pretty hard when that code could be corrupting your variables. > For instance, a safe framework function to perform database queries, > could become > unsafe by changing the db configuration (usually stored on globals), > allowing connections > to arbitrary servers. > It would be the responsibility of the framework or CMS or application to protect against this type of attack (which they do quite well.) When you can force a plugin to work through your API, you can take appropriate measures. When the plugin can avoid working through, say, a file API that protects against misuse by using the internal file functions, this is a much more difficult issue to mitigate. > Or a malicious plugin could register a class with the same name as a > framework one, before > the autoloader loads the right one, and have it used by privileged code. > > PHP is not designed to use it that way, so unless there is an high level > way to do it, it's probably > impossible to do right. Maybe you can perform a full global replacement > when calling > untrusted code. That might work. > Javascript wasn't "designed this way", either. However, tools like Secure EcmaScript go a long way towards protecting against the attacks mashups typically must prevent by protecting/limiting the environment: http://code.google.com/p/es-lab/wiki/SecureEcmaScript http://www.infoq.com/presentations/Secure-Mashups-in-ECMAScript-5 Thanks for the feedback, Angel. Adam --e89a8ff1ce264a8c0604ba9b1110--