Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58910
Return-Path: <adamjonr@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93413 invoked from network); 13 Mar 2012 06:39:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Mar 2012 06:39:35 -0000
Authentication-Results: pb1.pair.com header.from=adamjonr@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=adamjonr@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender)
X-PHP-List-Original-Sender: adamjonr@gmail.com
X-Host-Fingerprint: 209.85.160.170 mail-gy0-f170.google.com  
Received: from [209.85.160.170] ([209.85.160.170:65421] helo=mail-gy0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2A/C0-20054-6ABEE5F4 for <internals@lists.php.net>; Tue, 13 Mar 2012 01:39:35 -0500
Received: by ghbg2 with SMTP id g2so211347ghb.29
        for <internals@lists.php.net>; Mon, 12 Mar 2012 23:39:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=EDbc69YMGTJXJMGfTDUy+Fw5Xe9m3vTuusCIBYsZwoU=;
        b=ivHNjTq4jOxeWtkUsXv9eLBJW4ELPhbNbkZz+9CP9lUdNk93KlOKJ0vN/6z4PnxKQv
         D7ZmPQm4r37Nx73bsZD8yOrHSYDufKIwT/I3JJ+WtjXTF07XjZY+rBr3Z9mBdDyPrSFb
         gZA1m4+6asnKREPKJaxxmLvbibv3CoahgYkUTBXBb6Y3Hw2465TTwrSpYCWIeQPAPs5u
         35QlMdtWh2Z+6SbfGCvlOxYanefWBOfQ9nKBasnd2tNdRJc5tcNumClEimfYBhjkiyEg
         Fm1Imga5h2LhISj3atVLWzgAfKqiS4a8nalF8AqMTSfu54Wwpy66M6itMPK6bssKFmx2
         bVsA==
MIME-Version: 1.0
Received: by 10.182.225.69 with SMTP id ri5mr10427075obc.74.1331620772365;
 Mon, 12 Mar 2012 23:39:32 -0700 (PDT)
Received: by 10.182.19.104 with HTTP; Mon, 12 Mar 2012 23:39:32 -0700 (PDT)
In-Reply-To: <4F57D47E.1000804@gmail.com>
References: <CAJzDObekVt_F6JZP-B-YCs0khvfcSDW1PNeC6Bf5LUk=xPqVAQ@mail.gmail.com>
	<4F55DB1F.5040108@sugarcrm.com>
	<CAJzDObcwd6KMSNvJa8mui0QGiof+BEMoJ2WuGEq09uN+yc4n+g@mail.gmail.com>
	<4F567FD9.2050609@gmail.com>
	<CAJzDObcEUscO7q=h0DToEwvrxZMDnWFxjZnmWrsWxx+CKDkVxg@mail.gmail.com>
	<4F57D47E.1000804@gmail.com>
Date: Tue, 13 Mar 2012 02:39:32 -0400
Message-ID: <CAJzDObcT62byEbNREFEnPGcnSzc_r6PdWPK9B4kiaM3LMK-Nqg@mail.gmail.com>
To: =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= <keisial@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=f46d044797131cc79004bb1a1f32
Subject: Re: [PHP-DEV] Providing sandboxed versions of include and require
 language constructs
From: adamjonr@gmail.com (Adam Jon Richardson)

--f46d044797131cc79004bb1a1f32
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

2012/3/7 =C1ngel Gonz=E1lez <keisial@gmail.com>

> On 07/03/12 00:04, Adam Jon Richardson wrote:
> > It would be the responsibility of the framework or CMS or application
> > to protect against this type of attack (which they do quite well.)
> > When you can force a plugin to work through your API, you can take
> > appropriate measures. When the plugin can avoid working through, say,
> > a file API that protects against misuse by using the internal file
> > functions, this is a much more difficult issue to mitigate.
> The key point is precisely, how do you ensure they can only call your API=
?
>

The idea would be to have a default whitelist of internal functions that
can be easily expanded per include as needed. That way, the script
including another script can determine how much power/trust they're willing
to hand off.

For example:

// EXAMPLE 1: included script would only be able to call functions found in
default whitelist
include_restricted('file/path1');

// EXAMPLE 2: included script would only be able to call functions found in
default whitelist and PDO
include_restricted('file/path2', $whitelist =3D array(SANDBOX_PDO));

The types of restrictions that involve restricting calls to internal
functions (e.g., file()) are, at least conceptually, is straight forward.
However, PDO has an object interface. For objects, I'm researching the idea
of limiting the creation of new objects within the included script. That is
to say that in example 1, the included script would raise an error if it
tried to create a PDO object directly.

However, in some situations, the framework or CMS may hand off a PDO object
to the included script or expose a factory API (maybe the intent is to
share a DB connection), and in this case, the sandbox would allow the PDO
object to be utilized within the script. The idea is for the framework/CMS
to be the gatekeeper for all of the applications resources, and if the
framework designers want to hand off an object for use, then that fits with
the general model I'm proposing.

Right now, it's very difficult to enforce any restrictions on included
scripts because they have access to all of the internal functions available
to the framework/CMS (using something like the disable_functions directive
limits the framework/CMS too much and works from a blacklist approach.)

I'm not saying this would be easy to implement, or that it would be
perfectly secure. I am saying that it's worth careful examination and that
there are many potential solutions that could make things better in terms
of application security.

Thanks for the feedback,

Adam

--f46d044797131cc79004bb1a1f32--