开发者

How to SAFELY include a file for use with use with Zend_Reflection?

I'm using Zend_Reflection to generate an extended format set of ctags for use with my text editor. The problem is that you have to include any files that you wish to process.

The constructor for Zend_Reflection_File checks to see if the file you wish to reflect has been included, and if not it throws an exception:

// From Zend/Refection/File.php (94-97)
if (!$fileRealpath || !in_array($fileRealpath, get_included_files())) {
    require_once 'Zend/Reflection/Exception.php';
    throw new Zend_Reflection_Exception(
        'File ' . $file . ' must be required before it can be reflected');
} 

I only use thi开发者_高级运维s technique on code that I trust but I'd like to wrap it all up in a script for others to use. My concern is that any included files may introduce unsafe code into the current scope. For example, I wouldn't want to include the following:

<?php
// evil.php
shell_exec('rm -rf /');

My first thought was to use safe_mode but this is depreciated (and not as safe as the name would suggest it seems).

The next idea would be to use a custom php.ini file and the disable_functions directive but (beyond the candidates listed in the safe_mode documentation) I couldn't be sure that I'd caught all the necessary functions.

Finally I'm wondering if there's any way of making PHP run in a sandbox (of sorts) -- I'd like to capture the Reflection information without any global code that was included being executed at all.

Any and all thoughts appreciated. TIA.


You shouldn't be including, or eval-ing, user supplied code.

Edit:

Trying to filter out "safe" code is beyond the scope of Zend_Reflection. That is not the intended usage, and is not supported by the framework. If you wish to do some voodoo token parsing on your input, feel free, but that isn't Zend_Reflection.

Edit 2:

If you really want to do this, please look at token_get_all, token_get_name, and the list of parser tokens.

If you look at the Zend_Reflection_File::_reflect method, you can get an idea of what you could do:

<?php
$tokens = token_get_all(file_get_contents('file.php'));
foreach ($tokens as $token) {
    if (is_array($token)) {
        $type = $token[0];
        $value = $token[1];
        $line = $token[2];
    }
    switch ($type) {
        case T_FUNCTION:
            if ($value == 'shell_exec') {
                throw Exception("WTF");
            }
        // etc.
    }
}
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜