Edit report at https://bugs.php.net/bug.php?id=42116&edit=1
ID: 42116 Updated by: maar...@php.net Reported by: kripper3 at hotmail dot com Summary: Safe eval() -Status: Open +Status: Closed Type: Feature/Change Request Package: *General Issues Operating System: Irrelevant PHP Version: 5.2.3 -Assigned To: +Assigned To: maarten Block user comment: N Private report: N New Comment: Whitelisting is always safer than blacklisting, so you should add a specific whitelist. Instead of writing a whitelist for this specific usage (i.e. arethmetic), you'd just as well grab a specific parser made for the job. :) Previous Comments: ------------------------------------------------------------------------ [2011-11-23 13:37:45] zyss at mail dot zp dot ua You should use arithmetic expressions parser instead of using eval() for such purposes, IMHO. There are tons of such parsers for PHP and nothing prevents you from writing your own. Exposing eval() to users is a very bad thing whatever filters are there. ------------------------------------------------------------------------ [2007-07-26 20:56:47] kripper3 at hotmail dot com Description: ------------ eval($code) makes it possible to execute PHP code. It becames usefull when $code is provided dynamically (by the user of the application). For example, in order to compute a math expression provided by the user via a Web Interface. A lot of applications are using eval() this way. The problem is that eval() is not safe, and makes it possible to inject code. For example, instead of providing a math expression, I could provide code for listing files, get the content of the scripts and obtain hardcoded passwords. On http://www.php.net/manual/en/function.eval.php#75389 someone proposed a parser to detect disallowed PHP functions, but since the evaled code can be very flexible (ie. "$a = 'un' . 'link'; $a('<file>')"), it seems the solution must be implemented in the engine. In other words, there should be a secure sandbox eval() function, let's say "save_eval()". I guess this could be difficult to implement. Besides, the definition of "save" may be subjective. I would define "save" as, at least, to not allow someone to do I/O operations (ie. read/write files, access URL's, etc.) and not access the applications code space (ie. change $GLOBALS, $_SESSION, $_SERVER, etc). To day, to use eval() implies a security risk in almost any app. that uses this function. Besides, we are missing a BIG RED WARNING BOX in the documentation page to inform our PHP users. Therefore, it is a social bug. Related "Bug": http://bugs.php.net/bug.php?id=40722&edit=2 IMO, it's no serious answer, since OS privileges cannot avoid reading passwords in PHP scripts or inyecting: $_SESSION['isAdmin'] = 'ok...let_me_hack_your_php_app') Reproduce code: --------------- eval(<any malicous code>) or save_eval(<any malicous code>) Expected result: ---------------- ERROR: Evaled code cannot execute function '<disallowed function name>' Actual result: -------------- Irrelevant. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=42116&edit=1
