Tim Starling wrote:
- PHP
Advantage: Lots of webbish people have some experience with PHP or can easily find references.
Advantage: we're pretty much guaranteed to have a PHP interpreter available. :)
Disadvantage: PHP is difficult to lock down for secure execution.
PHP can be secured against arbitrary execution using token_get_all(), there's a proof-of-principle validator of this kind in the master switch script project. But there are problems with attempting a single-process PHP-in-PHP sandbox:
- The poor support for signals in PHP makes it difficult to limit the
execution time of a script snippet. Ticks only occur at the end of each statement, so you can defeat them by making a single statement that runs forever.
Inject a check_limits() call into each looping structure. If it detects the script has been running for more than $maxTime, timeout it. Can you defeat that?
- Apart from blacklisting function definition, there is no way to
protect against infinite recursion, which exhausts the process stack and causes a segfault.
Also inject the same call into functions.
- Memory limits are implemented on a per-request basis, and there's no
way to recover from exceeding the memory limit, the request is just killed.
Call memory_get_usage() before and also inside check_limits() to check script abides inside memory limits. Abort if it gets near php memory limit (I'd expect the script's memory to be much lower than php's). However, that check is much easier to bypass.