Re: [PHP-DEV] removing functions? From: Chuck Adams (scrytch <email protected>)
Date: 05/28/00

Zeev Suraski writes:
> I think it may be worth it to allow administrators to replace the
> implementation of a given function with a built-in function, that says that
> the function that has been called has been disabled for security
> reasons. This function will not be configurable - so that it doesn't give
> you any rope at all. It'll simply prevent that specific function from
> working, report it clearly to the end user, and prevent libraries from
> overwriting it.
>
> Would that be ok?

It's a good start at any rate, less coarse than safemode anyhow. In
my case, I did want to load an extension, then disable the dl()
function immediately afterward, so contributed user files can't
sabotage the internals. Then open a db handle (in mysql), then delete
the mysql_open function. Finally, I wanted to deny access to hidden
files (ones starting with a dot) to contributed user code, which is
where I would be storing things such as db passwords, but not shut off
all file access. That last one would need a wrapper around fopen,
include, use, require, and system (I'd probably just disable system()
entirely, but don't want to destroy include()). And since I can't
serialize a resource, I can't pass the db handle over with to a web
with different .ini settings in a .htaccess file in another web using
virtual() (which is really expensive anyway).

If it's up to the admin to control this sort of thing, why not let the
admin control whether this runtime functionality is enabled? Similar
policy gets set for the various DB *_pconnect functions after all.

I'm trying to create a PHP answer to Zope here, but if contributed
code cannot be run in a sandbox, it's going to severely restrict the
collaborative development features I had in mind for it (and that it
already has, but the trust is currently all-or-nothing, a rogue user
could wipe out the entire site currently).

I'd be willing to write this sort of thing myself, and would even
accept it being forever a purely third-party thing. I'd just like to
solicit a little feedback on how it should work and be implemented.

chuck "been reading too many afu .sigs" adams 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>