I am wondering what security concerns there are to implementing a PHP evaluator like this:
我想知道实现这样的PHP求值器需要考虑哪些安全问题:
<?php eval($_POST['codeInput']); %>
This is in the context of making a PHP sandbox so sanitising against DB input etc. isn't a massive issue.
这是在创建PHP沙箱的环境中,这样对DB输入进行清理就不是什么大问题了。
Users destroying the server the file is hosted on is.
用户破坏承载文件的服务器。
I've seen Ruby simulators so I was curious what's involved security wise (vague details at least).
我已经见过Ruby模拟器,所以我很好奇什么涉及到安全性(至少是模糊的细节)。
Thanks all. I'm not even sure on which answer to accept because they are all useful.
谢谢所有。我甚至不确定该接受哪个答案,因为它们都是有用的。
Owen's answer summarises what I suspected (the server itself would be at risk).
欧文的回答总结了我的怀疑(服务器本身也有风险)。
arin's answer gives a great example of the potential problems.
奥林的回答为潜在问题提供了一个很好的例子。
Geoff's answer and randy's answer echo the general opinion that you would need to write your own evaluator to achieve simulation type capabilities.
Geoff的回答和randy的回答呼应了一般的观点,即您需要编写自己的评估程序来实现模拟类型功能。
9 个解决方案
#1
5
could potentially be in really big trouble if you eval()'d something like
如果您使用eval()之类的方法,可能会遇到很大的麻烦吗
<?php
eval("shell_exec(\"rm -rf {$_SERVER['DOCUMENT_ROOT']}\");");
?>
it's an extreme example but it that case your site would just get deleted. hopefully your permissions wouldn't allow it but, it helps illustrate the need for sanitization & checks.
这是一个极端的例子,但是你的网站会被删除。希望您的权限不会允许它,但它有助于说明需要进行清理和检查。
#2
18
don't do that.
不要这样做。
they basically have access to anything you can do in PHP (look around the file system, get/set any sort of variables, open connections to other machines to insert code to run, etc...)
它们基本上可以访问PHP中可以做的任何事情(查看文件系统、获取/设置任何类型的变量、打开与其他机器的连接以插入要运行的代码等)。
#3
6
The eval() function is hard to sanitize and even if you did there would surely be a way around it. Even if you filtered exec, all you need to do is to somehow glue the string exec into a variable, and then do $variable(). You'd need to really cripple the language to achieve at least some sort of imaginary security.
eval()函数很难被清除,即使您这样做了,也肯定会有办法绕过它。即使您过滤了exec,您所需要做的就是以某种方式将字符串exec粘到一个变量中,然后执行$variable()。你需要真正削弱语言,至少达到某种假想的安全。
#4
4
There are a lot of things you could say.. The concerns are not specific to PHP.
你可以说很多话。这些关注不是PHP特有的。
Here's the simple answer:
答案很简单:
Any input to your machine (or database) needs to be sanitized.
需要对机器(或数据库)的任何输入进行清理。
The code snippet you've posted pretty much lets a user run any code they want, so it's especially dangerous.
您所发布的代码片段可以让用户运行他们想要的任何代码,因此这是非常危险的。
There is a pretty good introductory article on code injection here:
这里有一篇关于代码注入的很好的介绍性文章:
*在代码注入。
#5
4
If you allow arbitrary code to be run on your server, it's not your server any more.
如果允许在服务器上运行任意代码,那么它就不再是您的服务器了。
#6
3
Dear god NO. I cringe even at the title. Allowing user to run any kind of arbitrary code is like handing the server over to them
亲爱的上帝。即使是标题,我也不敢苟同。允许用户运行任意类型的代码就像把服务器交给他们一样
I know the people above me already said that. But believe me. That's never enough times that someone can tell you to sanitize your input.
我知道我上面的人已经说过了。但相信我。如果有人告诉你要对你的输入进行消毒,那绝对是不够的。
If you really, really want to allow user to run some kind of code. Make a subset of the commands available to the user by creating some sort of psudo language that the user can use to do that. A-la the way bbcode or markdown works.
如果你真的,真的想让用户运行某种代码。通过创建用户可以使用的某种psudo语言,使用户可以使用的命令的子集。bbcode或markdown的工作方式。
#7
3
If you are looking to build an online PHP interpreter, you will need to build an actual REPL interpreter and not use eval.
如果希望构建在线PHP解释器,则需要构建一个实际的REPL解释器,而不需要使用eval。
Otherwise, never ever execute arbitrary user code. Ever.
否则,永远不要执行任意的用户代码。永远。
#8
2
Do NOT allow unfiltered code to be executed on your server, period.
不要让未过滤的代码在服务器上执行,句号。
If you'd like to create a tool that allows for interactive demonstration of a language such as the tool seen here: http://tryruby.hobix.com/ I would work on coding a sub portion of the language yourself. Ideally, you'll be using it to demonstrate simple concepts to new programmers, so it's irrelevant if you properly implement all the features.
如果您想要创建一个工具来支持语言的交互式演示,比如这里看到的工具:http://tryruby.hobix.com/,那么我将自己编写语言的子部分。理想情况下,您将使用它向新程序员演示简单的概念,因此,如果您正确地实现了所有特性,那么它是无关紧要的。
By doing this you can control the input via a white list of known acceptable input. If the input isn't on the white list it isn't executed.
通过这样做,您可以通过一个已知可接受输入的白列表来控制输入。如果输入不在白色列表中,则不会执行。
Best of luck!
最好的运气!
#9
-1
As already answered, you need to sanitize your inputs. I guess you could use some regex-filtring of some kind to remove unwanted commands such as "exec" and basically every malicious command PHP has got to offer (or which could be exploited), and that's a lot.
如前所述,您需要对输入进行清理。我猜您可以使用某种regex过滤来删除不需要的命令,比如“exec”和PHP提供的所有恶意命令(或者可以利用的),这是很多。
#1
5
could potentially be in really big trouble if you eval()'d something like
如果您使用eval()之类的方法,可能会遇到很大的麻烦吗
<?php
eval("shell_exec(\"rm -rf {$_SERVER['DOCUMENT_ROOT']}\");");
?>
it's an extreme example but it that case your site would just get deleted. hopefully your permissions wouldn't allow it but, it helps illustrate the need for sanitization & checks.
这是一个极端的例子,但是你的网站会被删除。希望您的权限不会允许它,但它有助于说明需要进行清理和检查。
#2
18
don't do that.
不要这样做。
they basically have access to anything you can do in PHP (look around the file system, get/set any sort of variables, open connections to other machines to insert code to run, etc...)
它们基本上可以访问PHP中可以做的任何事情(查看文件系统、获取/设置任何类型的变量、打开与其他机器的连接以插入要运行的代码等)。
#3
6
The eval() function is hard to sanitize and even if you did there would surely be a way around it. Even if you filtered exec, all you need to do is to somehow glue the string exec into a variable, and then do $variable(). You'd need to really cripple the language to achieve at least some sort of imaginary security.
eval()函数很难被清除,即使您这样做了,也肯定会有办法绕过它。即使您过滤了exec,您所需要做的就是以某种方式将字符串exec粘到一个变量中,然后执行$variable()。你需要真正削弱语言,至少达到某种假想的安全。
#4
4
There are a lot of things you could say.. The concerns are not specific to PHP.
你可以说很多话。这些关注不是PHP特有的。
Here's the simple answer:
答案很简单:
Any input to your machine (or database) needs to be sanitized.
需要对机器(或数据库)的任何输入进行清理。
The code snippet you've posted pretty much lets a user run any code they want, so it's especially dangerous.
您所发布的代码片段可以让用户运行他们想要的任何代码,因此这是非常危险的。
There is a pretty good introductory article on code injection here:
这里有一篇关于代码注入的很好的介绍性文章:
*在代码注入。
#5
4
If you allow arbitrary code to be run on your server, it's not your server any more.
如果允许在服务器上运行任意代码,那么它就不再是您的服务器了。
#6
3
Dear god NO. I cringe even at the title. Allowing user to run any kind of arbitrary code is like handing the server over to them
亲爱的上帝。即使是标题,我也不敢苟同。允许用户运行任意类型的代码就像把服务器交给他们一样
I know the people above me already said that. But believe me. That's never enough times that someone can tell you to sanitize your input.
我知道我上面的人已经说过了。但相信我。如果有人告诉你要对你的输入进行消毒,那绝对是不够的。
If you really, really want to allow user to run some kind of code. Make a subset of the commands available to the user by creating some sort of psudo language that the user can use to do that. A-la the way bbcode or markdown works.
如果你真的,真的想让用户运行某种代码。通过创建用户可以使用的某种psudo语言,使用户可以使用的命令的子集。bbcode或markdown的工作方式。
#7
3
If you are looking to build an online PHP interpreter, you will need to build an actual REPL interpreter and not use eval.
如果希望构建在线PHP解释器,则需要构建一个实际的REPL解释器,而不需要使用eval。
Otherwise, never ever execute arbitrary user code. Ever.
否则,永远不要执行任意的用户代码。永远。
#8
2
Do NOT allow unfiltered code to be executed on your server, period.
不要让未过滤的代码在服务器上执行,句号。
If you'd like to create a tool that allows for interactive demonstration of a language such as the tool seen here: http://tryruby.hobix.com/ I would work on coding a sub portion of the language yourself. Ideally, you'll be using it to demonstrate simple concepts to new programmers, so it's irrelevant if you properly implement all the features.
如果您想要创建一个工具来支持语言的交互式演示,比如这里看到的工具:http://tryruby.hobix.com/,那么我将自己编写语言的子部分。理想情况下,您将使用它向新程序员演示简单的概念,因此,如果您正确地实现了所有特性,那么它是无关紧要的。
By doing this you can control the input via a white list of known acceptable input. If the input isn't on the white list it isn't executed.
通过这样做,您可以通过一个已知可接受输入的白列表来控制输入。如果输入不在白色列表中,则不会执行。
Best of luck!
最好的运气!
#9
-1
As already answered, you need to sanitize your inputs. I guess you could use some regex-filtring of some kind to remove unwanted commands such as "exec" and basically every malicious command PHP has got to offer (or which could be exploited), and that's a lot.
如前所述,您需要对输入进行清理。我猜您可以使用某种regex过滤来删除不需要的命令,比如“exec”和PHP提供的所有恶意命令(或者可以利用的),这是很多。