Embedding secure scripting language in PHP (req PHP internals expert)

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Nemon
    #1

    Embedding secure scripting language in PHP (req PHP internals expert)


    I need to expose some scripting functionality to novice users in a project
    of mine. What i wonderd was if anyone knew a way of executing secure PHP
    from within a PHP script or an alternative embedded scripting method? Some
    interaction between the PHP script host and the secure embedded script are
    needed.

    I'm currently i'm playing with ASP.NET(C#) and embeded
    jscript(spiderm onkey) via managed C++ library but it's quite alot of work,
    complex.

    I already know about runkit but last time i checked it was pretty broken
    and lacked execution time limits; I also emailed the author but got no
    reply. Perhaps just fixing runkit myself would be a simpler option? Is
    this a viable option, can runkit be fixed up to properly secure a PHP
    context? Spawning a seperate process for every request is pretty much out
    of the question as it's too expensive for what i have in mind, this is for
    a windows host so.

    I need to allow looping, branching and basic PHP features but no access to
    OS resources and absolutely no file system access. I'd also need a way to
    impose memory and CPU time restrictions.

    Thanks for any help.
    --
    Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
    Tags: None
    • Johnny
      #2
      Re: Embedding secure scripting language in PHP (req PHP internals expert)


      "Nemon" <nemon@home.fak e.comwrote in message
      news:op.tgle7lu 5no4rwm@nautilu s...
      <snip />
      I need to allow looping, branching and basic PHP features but no access to
      OS resources and absolutely no file system access. I'd also need a way to
      impose memory and CPU time restrictions.
      >
      hehe sounds a lot like a plain vanilla shared hosting account :-)

      one host I deal with will let you do limited system things like
      system("ls -l",$ret);
      but won't let you do chmod,create or write to a file (unless directory
      permissions are set to 757) since php comes in as an other user.

      I guess you could always redefine system, fopen and a few other functions so
      that they allow url opeing where appropriate but not local files.
      and then make it so that the code interface is via php so you control what
      gets uploaded and run.

      and you can set both timeout and max memory usage in php.ini


        Comment

        • Nemon
          #3
          Re: Embedding secure scripting language in PHP (req PHP internals expert)

          On Fri, 29 Sep 2006 06:55:46 +0100, Johnny
          <removethis.huu anito@hotmail.c omwrote:
          I guess you could always redefine system, fopen and a few other
          functions so
          that they allow url opeing where appropriate but not local files.
          and then make it so that the code interface is via php so you control
          what
          gets uploaded and run.
          I think this is what runkit does through its extension; it creates another
          PHP context and hooks certain PHP functions to control access and usage.
          Using file system restrictions probably wont work because the host script
          does need database/filesystem/network access, it's just the restricted PHP
          that shouldnt be allow todo anything but access a provided API and perform
          basic PHP language operations. There is afaik no way you can provide a
          restricted "eval" like you can in other languages, like Lua. Lua really is
          ideal for this sort of restriction but it's an extremely basic quirky
          language which is no good atall for web development.

          I think runkit might be my soloution but i can only get it to compile
          statically linked which means i'm probably going to have to do a complete
          build of PHP on windows, not tham i'm affraid of getting my hands dirty
          it's just more work i dont need.

          I guess im still weighing up whether ASP.NET + Spidermonkey will be a
          better soloution than doing a complete rebuild of PHP + fixed runkit.
          Fixing runkit looks like im really going to have todo my homework on the
          PHP Zend engine and go on a serious bug hunt. I found some pretty basic
          bugs in runkit that i wasn't expecting to find. Things like not allocating
          space and corrupting the stack.... made me lose a little faith in runkits
          security.

          I really need some PHP internals guru to chime in.

            Comment

            Previous template Next
            Working...