Comments on: Security with PHP Only templates

By: awal

awal — Tue, 30 Nov 2004 12:39:27 +0000

I like it

By: forestg

forestg — Sat, 14 Aug 2004 10:50:04 +0000

I really don’t have any production use for this at all, but I find the whole topic quite interesting. But yea i think i’d used it more along the lines enforcing rules in phpDocumentor templates then just for security.

I should look at the phpDocumentor 2.0 code and build the analysis off of php_parser, but thats actual work instead of a proof of concept.

By: Lukas

Lukas — Sat, 14 Aug 2004 10:41:36 +0000

Well now you are taking things into a different direction than security .. but depending on what you do it may be feasible to combine the two. Since all my html designers are within slapping range I dont have this problem quite as much though

By: forestg

forestg — Fri, 13 Aug 2004 10:43:39 +0000

To me it makes a lot of sense. In many situations your not so much worried about security but that your templates don’t turn into a total unmanageable hack just because they can.

But that could just be my view of the situation.

Actually i can think of a situation were you could use a tool like this to certify that code was only using a standard api and thus could be garenteed compatible between multiple implementations of the same basic api, al la J2EE aplication verfication junk.

By: Lukas

Lukas — Fri, 13 Aug 2004 10:16:15 +0000

I dont see a problem there really. All you want to do is prevent people from accessing internal variables and certain extensions. I dont think it makes sense to dictate what language constructs people should be allowed to use inside their templates.

By: forestg

forestg — Fri, 13 Aug 2004 08:48:48 +0000

Well i think part of the problem with trying to limit things based on php.ini Is i don’t think there is an easy way to stop people from writing new functions or classes (unless i just haven’t seen that option in the ini).

Any how if your goes the code analysis I would be willing to colloborate, well at least helping on policy engine design and further development of the code analysis class.

By: Lukas

Lukas — Fri, 13 Aug 2004 08:15:21 +0000

Well I just dont believe that code analysis tools will be as reliable as the solution I proposed. However yes its way too clunky and that is why I will probably also go the code analysis route for now.

By: forestg

forestg — Thu, 12 Aug 2004 18:55:14 +0000

A setup like that sounds quite klunky and slow, also i think it would be easy to write a policy that allowed that with a system based on code analysis, you just say let them call the methods of your sql api in the policy or something like that. Though i don’t really think the people who are looking for a solution like this want to let someone do quick and dirty things, but thats the whole point of a setup like this, you can optionally run it with say Savant or not.

By: Lukas

Lukas — Thu, 12 Aug 2004 18:20:32 +0000

well the idea would be to pass all the parameters you want your template to have via a call to your cgi php (actually you could have different cgi and/or php.ini’s). isnt that what you are supposed to anyways?

the beauty is however that you retain the power of php within the templates … theoretically you could even allow people to run a query inside the templates if they really have to (sometimes you need quick and dirty and its nice to have as a possibility)

By: forestg

forestg — Thu, 12 Aug 2004 18:12:19 +0000

I’ll have to look but you can tell its a function call called $foo even if you don’t know what $foo is, so if your using a whitelisting setup it wouldn’t be allowed.

I don’t really think you could make a secure policy without whitelisting, at least not without a lot of work to find everyway to get around it like that.