防止应用程序在服务器端引入有害更改 [英] Prevent application from introducing harmful changes on the server side

问题描述

这只是我的PHP小爱好项目.我使用0sites.org服务器(Linux操作系统).我基本上是在尝试模仿 http://www.codepad.org ，

This is just my small little hobby project in PHP. I use 0sites.org Server (Linux OS). I am basically try to imitate functionalities of http://www.codepad.org, http://www.ideone.com. I am trying to have an online compiler/interpreter for some lanuages.

到目前为止，我可以使用PHP exec(..)编译/运行应用程序，但是我不确定如何过滤掉C/C ++等有害函数 system(..).另外，我也不知道如何阻止任何网络访问.

As of now, I can compile/run the applications with PHP exec(..), but I am really unsure as to how I am going to filter out harmful function calls like C/C++ system(..). Also, I have little idea how I am going to prevent any network access.

我还计划添加更多语言.很难实现每种语言特有的功能.我想知道是否有一种方法可以在更一般的层面上阻止事情发生.

I also a planning to add few more languages. It would be difficult to implement things specific to every language. I am wondering if there is a way I could stop things at a more general level.

我考虑过手动解析代码的行，并注释掉有问题的代码行.但是，由于通常有不止一种做事方式，因此可以将其打破.:-P

I have thought on the lines of parsing the code manually and comment out the problematic lines of code. But since there is usually more than one way to do things, this can be broken. :-P

有什么想法/建议/指标吗?我也将不胜感激.:-)

Any ideas/suggestions/pointers ? I shall be highly grateful for the same. :-)

(PS:这只是一个爱好项目.我只是想使其尽可能专业..)

(PS: This is just a hobby project. I just want to make it as professional as possible.. )

推荐答案

您可能确实需要操作系统支持才能创建这些沙箱.任何涉及对源代码进行过滤的方法都将存在安全性问题，并且将是维护噩梦.

You probably really need OS support for creating these sandboxes. Any approach involving filtering the source code is going to have security problems, and will be a nightmare to maintain.

只需考虑:即使您完全正确地实现了解析器，PHP的解析器中也可能存在错误，因此它的解析方式略有不同.这样可以轻松地使某人运行系统，exec等，并完全绕开您的过滤条件.

Just think: Even if you implement your parser completely correctly, there could be a bug in PHP's parser, so it parses slightly differently. That could easily allow someone to run system, exec, etc. and completely get around your filtering.

您没有偶然发现一个爱好项目；您偶然发现了一个研究项目.

You have not stumbled across a hobby project; you have stumbled across a research project.

在没有操作系统支持的情况下，我想到的最明智的方法是打补丁PHP(但是您将使用C而不是PHP进行工作)，或在PHP中重新实现PHP.但是请记住，这有多疯狂.您确定您知道链接的无数库可能会做什么，尤其是在给定有趣参数的情况下?例如，您可能希望禁止写入文件，但允许 MySQL.除了MySQL具有可写入任意文件的SQL命令之外.

The sanest way I can think of to do this without OS support is to patch PHP (but you'd be working in C then, not PHP), or to re-implement PHP in PHP. But keep in mind how crazy this is. Are you sure you know what the countless libraries linked in may do, especially when given funny arguments? E.g., you may want to disallow writing to files, but allow MySQL. Except MySQL has SQL commands that write to arbitrary files.

http://codepad.org/about 说，它是在OS支持下完成的.也许您可以使自己成为PHP的 ptrace 模块，并以类似的方式实现您的模块.

http://codepad.org/about says its done with OS support. Maybe you can make yourself a ptrace module for PHP, and implement yours in a similar way.

这篇关于防止应用程序在服务器端引入有害更改的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！