Jump to content


Photo

Stripping dangerous code from eval? probably not possible..


  • Please log in to reply
8 replies to this topic

#1 yonta

yonta
  • Members
  • PipPipPip
  • Advanced Member
  • 70 posts

Posted 23 July 2006 - 05:20 PM

Hi:)

i would like to build something like this : <a href="http://tryruby.hobix.com">try ruby in your browser</a> but using php (the language to learn) and flash (the interface). Basically a try php in your browser. The idea is to learn a bit more flash and php. It's all almost done but the problem is how do i stop the user from  writing code that exposes for example my site's password, or deleting all files, etc..

I would like to allow only stuff like echo, print, array but not stuff like fopen, fwrite, unlink and a whole bunch of other functions or global variables. I would still like that users could make up their own variables names, instead of strictly following a tutorial i would write - this would allow me to predict everything that could be written and so i could validate the code string first before using eval on it, but this is not how the the try ruby works. You can input any word as a variable.

I'm thinking that this is not actually possible but maybe someone knows of a solution?

Thanks for any help
do it, do it right, do it right now

#2 Joe Haley

Joe Haley
  • Members
  • PipPipPip
  • Advanced Member
  • 103 posts
  • LocationCanada, eh?

Posted 23 July 2006 - 05:31 PM

You could use a complex system of regular expressions to only allow specific functions, and specific input into those functions.
Give a man a fish; you have fed him for today.  Teach a man to fish; and you have fed him for a lifetime
Don't teach men to program. Teach them to fish.

Please, try the RTFM solution before asking for help:
http://php.net/manual/en/index.php

#3 yonta

yonta
  • Members
  • PipPipPip
  • Advanced Member
  • 70 posts

Posted 23 July 2006 - 05:40 PM

OK.. Don't really understand simple regular expressions, much less complex ones..

Thanks anyway
do it, do it right, do it right now

#4 Joe Haley

Joe Haley
  • Members
  • PipPipPip
  • Advanced Member
  • 103 posts
  • LocationCanada, eh?

Posted 23 July 2006 - 05:43 PM

http://www.regular-expressions.info/

There are many, many great places to learn about regular expressions. Try reading up on em, theyre quite usefull.
Give a man a fish; you have fed him for today.  Teach a man to fish; and you have fed him for a lifetime
Don't teach men to program. Teach them to fish.

Please, try the RTFM solution before asking for help:
http://php.net/manual/en/index.php

#5 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 23 July 2006 - 05:51 PM

Create an array with all of the functions names you dont want people to use, then loop thru it and check if the vlaues are in that string.
Example:
<?php
$input=$_POST['input']; //$input is the code the user wants to execute

$forbidden=array("unlink", "header", "session", "mysql"); //Write all the words you want to check, you can also write things like "mysql" to prevent all  mysql functions.

foreach($forbidden as $word){
if(strstr($input, $word)){die("Error- you used one of the forbidded functions");}
}

//rest of code
?>


But I think the whole idea of letting the user do whatever they want sounds unsecure. I mean, the user can make lots of long loops and such, and make your server slow. It's hard to control.

Orio.
Think you're smarty?

(Gone until 20 to November)

#6 448191

448191
  • Staff Alumni
  • Advanced Member
  • 3,545 posts
  • LocationNetherlands

Posted 23 July 2006 - 05:54 PM

You don't need regex (although I agree it can be useful). Just use an array of functions to allow and treat all others as strings. Be careful what functions to allow. Distrust any user input (as always).

You can't possibly check for al functions you want to exclude, because:
1) There are a lot.
2) Users won't directly be using the php function, but a function or method you will have to write that produces a specific result in the visitors' browser.

You have to be pretty sure about this, it sounds like a lot of work.

#7 ShogunWarrior

ShogunWarrior
  • Members
  • PipPipPip
  • Advanced Member
  • 528 posts
  • LocationIreland

Posted 23 July 2006 - 09:49 PM

If you can modify your PHP INI with ini_set then you can set safe mode on (safe_mode), set a list of disabled functions with (disable_functions) and (disable_classes).
<a href="http://www.daviddora...nmedia.com/">My New Site/Blog</a> | <a href="http://www.daviddora...m/check/">Check your page for broken links/images/scripts</a>

Zend Certified Engineer
Follow me on Twitter: http://twitter.com/davidd

#8 448191

448191
  • Staff Alumni
  • Advanced Member
  • 3,545 posts
  • LocationNetherlands

Posted 23 July 2006 - 10:06 PM

If you can modify your PHP INI with ini_set then you can set safe mode on (safe_mode), set a list of disabled functions with (disable_functions) and (disable_classes).


Unfortunatelly, that will also disbable the functions and build-in classes for all scripts. I can imagine you probably need many functions in your scripts that you don't want visitors to use.

And, like I said, you'll need to mimic the functions, not relay them if you are to have any control over what the visitor does to your site with this potentionally dangerously leaky app.

#9 yonta

yonta
  • Members
  • PipPipPip
  • Advanced Member
  • 70 posts

Posted 25 July 2006 - 12:20 PM

Thanks for the replies.

But i've basically given up, it's too dangerous to expose my server (not mine - the webhosts) to this. Served my (flash) learning purposes. Now i've protected access to it, and use it whenever i wanna do a quick test on a function.
do it, do it right, do it right now




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users