[geeklog-devel] PHP in Static Pages

Tony Bibbs tony at tonybibbs.com
Tue Jan 13 16:29:19 EST 2004 

 > I can't see how you would do this (reliably) without adding a PHP
 > parser to Geeklog.

Actually the best way to prevent this is when you save the static page.

So, what I am thinking is you would have something like this in the 
static pages config file:

$_SP_CONF['illegal_php_functions'] = 
array('exec','system','chmod','chown','copy','delete','chgrp','fileperms','fileowner','fopen',etc);

Then we would scan the static page db fields for any of those. Note you 
would have to be bit careful when doing this as you want to find 
instances of 'delete (' and 'delete(' not just 'delete'.  When any of 
those are encountered it should log the user and the page ID.

If you want to get ultra paranoid, you could also check it at the static 
page execution level too.  I assume that static pages execute php just 
like COM_siteHeader() does so in that case you have some code like this:

<snip>
ob_start();
eval( '?>' . $tmp );
$retval = ob_get_contents();
ob_end_clean();
</snip>

So you could apply the check on $tmp prior to the call to eval().

--Tony

Dirk Haun wrote:
> (moving this to the list from private email)
> 
> Tony wrote:
> 
> 
>>Have we considered the possibility of stripping calls to certain php 
>>functions?  I know we turn PHP off by default and have documented how 
>>enabled PHP could be stupid (especially considering most GL logins don't 
>>occur over SSL).  Specifically, exec(), system() and some of the 
>>filesystem methods should probably be removed or, at the very least, 
>>generated emails to the GL admin when they are found.
> 
> 

> 
> 
> There is a feature request that suggests limiting PHP to only call
> certain functions (prefixed with phpstatic_):
> <http://project.geeklog.net/tracker/index.php?
> func=detail&aid=83&group_id=6&atid=108>
> 
> Looks like the intention was to make it similar to PHP blocks.
> 
> 
> 
>>Just thinking of ways to be more proactive security-wise with this. 
>>Personally I hate seeing PHP in static pages...but I grudgingly conceded 
>>considering users seem to insist on having it.
> 
> 
> I guess an option in the static pages' config.php to disable PHP
> altogether can't hurt ...
> 
> bye, Dirk
> 
>

More information about the geeklog-devel mailing list