Geek Answers Handbook

What are the security issues when evaluating user code?

I'm curious about security, there is an implementation PHP evaluatoras follows:

<?php eval($_POST['codeInput']); %>

This is due to the fact that PHP sandbox, so disinfection against DB input, etc. not a major issue.

Users destroying the server hosting the file are located.

I saw Ruby simulators, so I was curious about what is related to security (at least vague details).

Thanks to everyone. I'm not even sure which answer to accept, because they are all useful.

Owen's answer summarizes what I suspected (the server itself would be in danger).

arin answer provides an excellent example of potential problems.

Jeff's answer and randy answer reflect a common opinion that you will need to write your own evaluator to get opportunities like modeling.

+5
source share
9 answers

could potentially be a really big problem if you're eval()something like

<?php
   eval("shell_exec(\"rm -rf {$_SERVER['DOCUMENT_ROOT']}\");");
?>

This is an extreme example, but in this case your site will simply be deleted. I hope your permissions do not allow this, but it will help illustrate the need for sanitation and checks.

+5
source

do not do that.

, PHP ( , / , , ..)

+18

eval() , , . exec, , , - exec , $variable(). , - .

+6

, . , PHP.

:

( ) .

, , .

:

.

+4

, .

+4

. . ,

, . . , - , .

, - . , , - psudo, . A-la bbcode .

+3

- PHP, REPL eval.

. -.

+3

Do , .

, , , : http://tryruby.hobix.com/ - . , , .

. , .

!

+2

As already mentioned, you need to sanitize your entries. I suggest that you could use some some regular filtering to remove unwanted commands, such as "exec", and basically every malicious command that PHP has to offer (or that can be used), and that is a lot.

-1
source

More articles:


All Articles