开发者

Safety of allowing third parties to upload PHP to a site

开发者 https://www.devze.com 2023-01-14 18:20 出处:网络
I\'m looking at building a site designed to allow users to test PHP code and was wondering if there\'s a safe way to implement such functionality.

I'm looking at building a site designed to allow users to test PHP code and was wondering if there's a safe way to implement such functionality.

Of particular concern, is there a practical way to allow them to only edit the contents of a single folder without having a separate user on the server for every user of the site?

Another thing which comes to mind is the system() function, though it seems this should be trivially easy to disable by creating a single user on the server with virtually no commands available to it.

Is there anything else I should be concerned with? It seems as though there should be myriad problems, but I can't really think of many.

Also, I realise this may belong on serverfault, but I 开发者_如何学运维thought that people here would have a more nuanced understanding of PHP.


I'd probably create a chroot-ed instance of Apache, and also a very limited user as which it will run and to whom the uploaded files will belong. PHP doesn't really come into the equation here (besides safe_mode), although you could set up a blacklist of disabled functions.

Much more important is IMHO to limit the user on the OS level, than to build up barriers in PHP.

Do set up some resource limits though - at least for memory, CPU time, and wall time.


Do you want to do something similar, that CodePad does? They have some words about the technology they use on their "about" page:

  • http://codepad.org/
  • http://codepad.org/about
0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号