RE: [PHP] Restrict uploaded scripts
Would it then be posible to restrict it in some other way, for example using chroot? Or do I just have to make sure that the modules come from a source that I trust or look through the code? fre, 09 06 2006 kl. 10:47 -0400, skrev Jim Moseby: > > > > Wouldn't it even be posible, if the script couldn't be run > > directly, but > > had to be run through require or something like that? > > > > Require just includes the code inline. It still runs on the webserver as > the server user as if it were one big script. I think you would have to > sanitize the uploaded code before allowing it to run. Writing the > sanitation algorithm to perform such a task would be a nightmare. > > JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Restrict uploaded scripts
> > Wouldn't it even be posible, if the script couldn't be run > directly, but > had to be run through require or something like that? > Require just includes the code inline. It still runs on the webserver as the server user as if it were one big script. I think you would have to sanitize the uploaded code before allowing it to run. Writing the sanitation algorithm to perform such a task would be a nightmare. JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Restrict uploaded scripts
Wouldn't it even be posible, if the script couldn't be run directly, but had to be run through require or something like that? fre, 09 06 2006 kl. 08:38 -0400, skrev Jim Moseby: > > > > Wouldn't they still be able to overwrite each other? > > I don't think I expressed myself clearly. The point of the > > protection is > > to keep the scripts from overwriting each other on purpose. It was a > > protection that would make it posible to upload scripts, even if you > > were not completly sure they were safe. > > > > So, you are concerned that someone will write a script that when RUN could > purposely overwrite some other files. If I had people uploading their own > code to my server, I would be concerned as well. In fact, 'concerned' is not > quite a strong enough word. > > As far as I know, when the uploaded script runs, it will have all the same > permissions that the user the webserver runs as has. So there would be no > (easy) way to control the possibility that it will overwrite files, add > records to your database, launch an attack on another host, send 100,000 > spam messages to the whitehouse, download porn and email it to your > minister, etc, etc, etc... > > JM > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Restrict uploaded scripts
> > Wouldn't they still be able to overwrite each other? > I don't think I expressed myself clearly. The point of the > protection is > to keep the scripts from overwriting each other on purpose. It was a > protection that would make it posible to upload scripts, even if you > were not completly sure they were safe. > So, you are concerned that someone will write a script that when RUN could purposely overwrite some other files. If I had people uploading their own code to my server, I would be concerned as well. In fact, 'concerned' is not quite a strong enough word. As far as I know, when the uploaded script runs, it will have all the same permissions that the user the webserver runs as has. So there would be no (easy) way to control the possibility that it will overwrite files, add records to your database, launch an attack on another host, send 100,000 spam messages to the whitehouse, download porn and email it to your minister, etc, etc, etc... JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Restrict uploaded scripts
Mathias: So what's wrong with either naming each file with a unique name or placing each file in a unique folder? If it's unique, then how can they overwrite it? I must not be understanding what you want. tedd At 7:24 AM +0200 6/9/06, Mathias Bundgaard Svesson wrote: >Wouldn't they still be able to overwrite each other? >I don't think I expressed myself clearly. The point of the protection is >to keep the scripts from overwriting each other on purpose. It was a >protection that would make it posible to upload scripts, even if you >were not completly sure they were safe. > >tor, 08 06 2006 kl. 17:30 -0400, skrev tedd: >> At 10:37 PM +0200 6/8/06, Mathias Bundgaard Svesson wrote: >> >Restrict them not to overwrite other modules or overwrite the CMS >> >itself. Each module should have it's own directory, and it shouldn't be >> >allowed to change anything outside it. >> > >> >tor, 08 06 2006 kl. 21:49 +1000, skrev chris smith: >> >> On 6/8/06, Mathias Bundgaard Svesson <[EMAIL PROTECTED]> wrote: >> >> > Hi! >> >> > I'm trying to create a CMS where it should be posible to upload script >> >> > modules. Those modules should mostly be made by myself, but it is >> >> > posible for others to create scripts too. My question is, is it posible >> >> > to restrict the modules to their own directory so they don't overwrite >> > > > some of the other modules or the CMS itself? >> >> Mathias: >> >> Well then, how about this? >> >> You can create a "uniquely" named id by using: >> >> $unique_id = md5(uniqid(microtime(), true)); >> >> and then use that name as a folder for each person submitting scripts OR use >> the unique id as a suffix for their cms file. Either way, it should stop >> persons from overwriting cms files. >> >> I would also suggest that you keep track of these id's in a dB. If you are >> still concerned about two people having the same unique, then you could >> search the dB to see if the recently created id exist. If it does, then >> generate another one. >> >> I use a similar method for making sure that the images I upload have unique >> names. >> >> hth's >> >> tedd >> >> >> -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Restrict uploaded scripts
Wouldn't they still be able to overwrite each other? I don't think I expressed myself clearly. The point of the protection is to keep the scripts from overwriting each other on purpose. It was a protection that would make it posible to upload scripts, even if you were not completly sure they were safe. tor, 08 06 2006 kl. 17:30 -0400, skrev tedd: > At 10:37 PM +0200 6/8/06, Mathias Bundgaard Svesson wrote: > >Restrict them not to overwrite other modules or overwrite the CMS > >itself. Each module should have it's own directory, and it shouldn't be > >allowed to change anything outside it. > > > >tor, 08 06 2006 kl. 21:49 +1000, skrev chris smith: > >> On 6/8/06, Mathias Bundgaard Svesson <[EMAIL PROTECTED]> wrote: > >> > Hi! > >> > I'm trying to create a CMS where it should be posible to upload script > >> > modules. Those modules should mostly be made by myself, but it is > >> > posible for others to create scripts too. My question is, is it posible > >> > to restrict the modules to their own directory so they don't overwrite > > > > some of the other modules or the CMS itself? > > Mathias: > > Well then, how about this? > > You can create a "uniquely" named id by using: > > $unique_id = md5(uniqid(microtime(), true)); > > and then use that name as a folder for each person submitting scripts OR use > the unique id as a suffix for their cms file. Either way, it should stop > persons from overwriting cms files. > > I would also suggest that you keep track of these id's in a dB. If you are > still concerned about two people having the same unique, then you could > search the dB to see if the recently created id exist. If it does, then > generate another one. > > I use a similar method for making sure that the images I upload have unique > names. > > hth's > > tedd > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Restrict uploaded scripts
At 10:37 PM +0200 6/8/06, Mathias Bundgaard Svesson wrote: >Restrict them not to overwrite other modules or overwrite the CMS >itself. Each module should have it's own directory, and it shouldn't be >allowed to change anything outside it. > >tor, 08 06 2006 kl. 21:49 +1000, skrev chris smith: >> On 6/8/06, Mathias Bundgaard Svesson <[EMAIL PROTECTED]> wrote: >> > Hi! >> > I'm trying to create a CMS where it should be posible to upload script >> > modules. Those modules should mostly be made by myself, but it is >> > posible for others to create scripts too. My question is, is it posible >> > to restrict the modules to their own directory so they don't overwrite > > > some of the other modules or the CMS itself? Mathias: Well then, how about this? You can create a "uniquely" named id by using: $unique_id = md5(uniqid(microtime(), true)); and then use that name as a folder for each person submitting scripts OR use the unique id as a suffix for their cms file. Either way, it should stop persons from overwriting cms files. I would also suggest that you keep track of these id's in a dB. If you are still concerned about two people having the same unique, then you could search the dB to see if the recently created id exist. If it does, then generate another one. I use a similar method for making sure that the images I upload have unique names. hth's tedd -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Restrict uploaded scripts
Restrict them not to overwrite other modules or overwrite the CMS itself. Each module should have it's own directory, and it shouldn't be allowed to change anything outside it. tor, 08 06 2006 kl. 21:49 +1000, skrev chris smith: > On 6/8/06, Mathias Bundgaard Svesson <[EMAIL PROTECTED]> wrote: > > Hi! > > I'm trying to create a CMS where it should be posible to upload script > > modules. Those modules should mostly be made by myself, but it is > > posible for others to create scripts too. My question is, is it posible > > to restrict the modules to their own directory so they don't overwrite > > some of the other modules or the CMS itself? > > Restrict them to do what exactly? > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Restrict uploaded scripts
On 6/8/06, Mathias Bundgaard Svesson <[EMAIL PROTECTED]> wrote: Hi! I'm trying to create a CMS where it should be posible to upload script modules. Those modules should mostly be made by myself, but it is posible for others to create scripts too. My question is, is it posible to restrict the modules to their own directory so they don't overwrite some of the other modules or the CMS itself? Restrict them to do what exactly? -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php