Tim Starling wrote:
Advantage: Lots of webbish people have some experience with PHP or can
easily find references.
Advantage: we're pretty much guaranteed to have a PHP interpreter
Disadvantage: PHP is difficult to lock down for secure execution.
PHP can be secured against arbitrary execution using token_get_all(),
there's a proof-of-principle validator of this kind in the master
switch script project. But there are problems with attempting a
single-process PHP-in-PHP sandbox:
* The poor support for signals in PHP makes it difficult to limit the
execution time of a script snippet. Ticks only occur at the end of
each statement, so you can defeat them by making a single statement
that runs forever.
Inject a check_limits() call into each looping structure. If it detects
the script has been running for more than $maxTime, timeout it.
Can you defeat that?
* Apart from blacklisting function definition, there
is no way to
protect against infinite recursion, which exhausts the process stack
and causes a segfault.
Also inject the same call into functions.
* Memory limits are implemented on a per-request
basis, and there's no
way to recover from exceeding the memory limit, the request is just
Call memory_get_usage() before and also inside check_limits() to check
script abides inside memory limits. Abort if it gets near php memory
limit (I'd expect the script's memory to be much lower than php's).
However, that check is much easier to bypass.