I am wondering what security concerns there are to implementing a PHP evaluator like this:
This is in the context of making a PHP sandbox so sanitising against DB input etc. isn’t a massive issue.
Users destroying the server the file is hosted on is.
I’ve seen Ruby simulators so I was curious what’s involved security wise (vague details at least).
Thanks all. I’m not even sure on which answer to accept because they are all useful.
Owen’s answer summarises what I suspected (the server itself would be at risk).
arin’s answer gives a great example of the potential problems.
Geoff’s answer and randy’s answer echo the general opinion that you would need to write your own evaluator to achieve simulation type capabilities.
………………………………….
could potentially be in really big trouble if you eval()’d something like
it’s an extreme example but it that case your site would just get deleted. hopefully your permissions wouldn’t allow it but, it helps illustrate the need for sanitization & checks.
………………………………….
don’t do that.
they basically have access to anything you can do in PHP (look around the file system, get/set any sort of variables, open connections to other machines to insert code to run, etc…)
………………………………….
If you allow arbitrary code to be run on your server, it’s not your server any more.
………………………………….
The eval() function is hard to sanitize and even if you did there would surely be a way around it. Even if you filtered ‘exec’, all you need to do is to somehow glue the string ‘exec’ into a variable, and then do $variable(). You’d need to really cripple the language to achieve at least some sort of imaginary security.
………………………………….
There are a lot of things you could say.. The concerns are not specific to PHP.
Here’s the simple answer:
Any input to your machine (or database) needs to be sanitized.
The code snippet you’ve posted pretty much lets a user run any code they want, so it’s especially dangerous.
There is a pretty good introductory article on code injection here:
Wikipedia on Code Injection.