disabled function lists

fregster / PHPSandbox

A PHP Sandbox (Runkit). A way to run untrusted PHP in a 'more' secure / safe way

www.fryer.org.uk/blog

GNU Lesser General Public License v3.0

46 stars 4 forks source link

disabled function lists #5

Open silverbux opened 8 years ago

silverbux commented 8 years ago

hi just wondering if anyone has a list of potentially harmful functions? basically the app im working on is a cloud editor, so mainly will be used for code preview.

fregster commented 8 years ago

There are lot's of lists you can find on the internet, unfortunately just blacklisting functions does not help to guarantee security of your code. This application set was built specifically to allow you to eval code in a 'more secure way'.

You can look at Whitelisting functions that you know you use which would be 'better' than Blacklisting but ideally look to containerize your uploaded code.

fregster commented 8 years ago

Specifically this application disabled these functions in addition to the 'sandboxing'

'disable_functions' => 'exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,pcntl_fork,pcntl_exec,session_start,phpinfo,ini_set',