From: kripper3 at hotmail dot com Operating system: Irrelevant PHP version: 5.2.3 PHP Bug Type: Feature/Change Request Bug description: Safe eval()
Description: ------------ eval($code) makes it possible to execute PHP code. It becames usefull when $code is provided dynamically (by the user of the application). For example, in order to compute a math expression provided by the user via a Web Interface. A lot of applications are using eval() this way. The problem is that eval() is not safe, and makes it possible to inject code. For example, instead of providing a math expression, I could provide code for listing files, get the content of the scripts and obtain hardcoded passwords. On http://www.php.net/manual/en/function.eval.php#75389 someone proposed a parser to detect disallowed PHP functions, but since the evaled code can be very flexible (ie. "$a = 'un' . 'link'; $a('<file>')"), it seems the solution must be implemented in the engine. In other words, there should be a secure sandbox eval() function, let's say "save_eval()". I guess this could be difficult to implement. Besides, the definition of "save" may be subjective. I would define "save" as, at least, to not allow someone to do I/O operations (ie. read/write files, access URL's, etc.) and not access the applications code space (ie. change $GLOBALS, $_SESSION, $_SERVER, etc). To day, to use eval() implies a security risk in almost any app. that uses this function. Besides, we are missing a BIG RED WARNING BOX in the documentation page to inform our PHP users. Therefore, it is a social bug. Related "Bug": http://bugs.php.net/bug.php?id=40722&edit=2 IMO, it's no serious answer, since OS privileges cannot avoid reading passwords in PHP scripts or inyecting: $_SESSION['isAdmin'] = 'ok...let_me_hack_your_php_app') Reproduce code: --------------- eval(<any malicous code>) or save_eval(<any malicous code>) Expected result: ---------------- ERROR: Evaled code cannot execute function '<disallowed function name>' Actual result: -------------- Irrelevant. -- Edit bug report at http://bugs.php.net/?id=42116&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=42116&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=42116&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=42116&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=42116&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=42116&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=42116&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=42116&r=needscript Try newer version: http://bugs.php.net/fix.php?id=42116&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=42116&r=support Expected behavior: http://bugs.php.net/fix.php?id=42116&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=42116&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=42116&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=42116&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42116&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=42116&r=dst IIS Stability: http://bugs.php.net/fix.php?id=42116&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=42116&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=42116&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=42116&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=42116&r=mysqlcfg
