在 PHP5 或替代方案中进行沙箱的建议? [英] Recommendations for sandboxing inside PHP5 or alternatives?
问题描述
我一直在慢慢开展一个人事项目,以使用 extjs 作为前端来运行类似 webmud 的游戏.我所做的设计选择之一是允许用户生成的游戏逻辑评估代码.所以当玩家进入一个新的房间"时,会调用一些状态脚本,比如玩家以前来过这里,如果他们在这里,他们是否有 x 个库存项目",然后做出相应的响应.此外,基本的房间动作"将被硬编码( go N/S/E/W ),但高级动作将作为相同的用户生成的评估脚本可用.
I've been slowly working on a personnel project to run a webmud like game using extjs as my frontend. One of the design choices I made was to allow user-generated evaluated code for game logic. So when the player enters a new "room" a number of state scripts would be called along the lines of "has player been here before, should they be here, do they have x inventory item" and then respond accordingly. Furthermore basic room "actions" would be hard coded ( go N/S/E/W ) but advanced actions would be available as the same user-generated evaluated scripts.
本来我会偷懒并使用已评估的 PHP 来处理这个逻辑,但我的偏执意识开始出现.所以我发现的两个替代方案是 runkit_sandbox 但它不支持主线程之间的对象交换和沙箱(只是简单的数据类型和数组)或使用 ecmascript 作为我的游戏逻辑 http://ejohn.org/blog/spicing-up-embedded-javascript/.
Originally I was going to be lazy and use evaluated PHP for this logic, but my paranoid sense is kicking in. So the two alternatives I have found is the runkit_sandbox but it doesn't support an interchange of objects between the primary thread and the sandbox ( just simple data types and arrays) OR using ecmascript as my game logic http://ejohn.org/blog/spicing-up-embedded-javascript/.
两者的优点/缺点是,使用 runkit,我可以以极大的速度锁定脚本,而 ecma 解释器将允许我有选择地将变量、函数和可能的对象绑定到 javascript 运行空间,但它仍处于测试状态,我还没有看到它的运行情况.
The pro/cons of the two is that with runkit, I can lock the script down pretty hard at a tremendous cost to speed while the ecma interpreter would allow me to selectively bind variables, functions, and possibly objects to the javascript run space but its still in beta state and I've yet to see how well it runs.
这些是用于选择还是有其他我不知道的可能是更好的选择?环境:linux、PHP-CGI 5.3 或作为谷歌应用引擎.
Is these it for options or is there something else out there I don't know about that might be a better choice? Environment: linux, PHP-CGI 5.3 or as a google app engine.
推荐答案
我不建议评估用户贡献的 PHP 代码——即使是在 runkit 沙箱中.PHP 是一种非常复杂的语言,并且与其环境密切相关.在不知道具体细节的情况下,我预计人们可以利用许多漏洞来突破沙盒.
I wouldn't recommend evaluating user-contributed PHP-code -- even within a runkit sandbox. PHP is a very complex language, and it's closely tied to its environment. Without knowing the specifics, I would anticipate that there are numerous holes that people could leverage to break out of the sandbox.
除了 javascript 之外,您还可以嵌入其他语言.Lua 是这类事情的流行选择.甚至在 pecl 中还有一个 php 扩展,带有绑定.
There are other languages, that you can embed, than javascript. Lua is a popular choice for these kinds of things. There is even a php extension in pecl, with bindings for it.
如果你无论如何都要走 runkit 路线,你可以研究一个共享内存解决方案,比如 memcache,用于进程间数据交换.
If you're going the runkit route anyway, you could look into a shared memory solution, such as memcache, for exchanging data between processes.
这篇关于在 PHP5 或替代方案中进行沙箱的建议?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
