Welcome! Log In Create A New Profile

Advanced

[PHP] PHP subset for user-defined functions

Posted by Anonymous User 
Anonymous User
[PHP] PHP subset for user-defined functions
December 13, 2016 05:41AM
Ihave developed and operated a Linux-Apache-MySQL-PHP service for several years.A new feature requires support for simple, user-defined functions, to returnvalues used by the service. Here, we’re talking about front-end users on theinternet, with some vetting, and typically with some software engineeringexperience. I’ve been thinking about security and support issues of course.Currentplans are to offer a subset of PHP for the user-defined functions: Submittedfunctions would be scanned, and only allowed functions and keywords would besupported. Variable functions would be disallowed, etc. Does anyone haveexperience or advice regarding this type of approach?Thanks,GeorgeSherwoodThesereferences describe the feature:http://testcover.com/pub/background/ecbecc.pdfhttp://testcover.com/pub/background/iwct2015.pdfhttp://testcover.com/pub/background/iwct2016.pdf 
Ashley Sheridan
Re: [PHP] PHP subset for user-defined functions
December 13, 2016 05:41AM
On 2 December 2016 19:17:36 GMT+00:00, sherwood@testcover.com wrote:
>Ihave developed and operated a Linux-Apache-MySQL-PHP service for
>several years.A new feature requires support for simple, user-defined
>functions, to returnvalues used by the service. Here, we’re talking
>about front-end users on theinternet, with some vetting, and typically
>with some software engineeringexperience. I’ve been thinking about
>security and support issues of course.Currentplans are to offer a
>subset of PHP for the user-defined functions: Submittedfunctions would
>be scanned, and only allowed functions and keywords would besupported.
>Variable functions would be disallowed, etc. Does anyone haveexperience
>or advice regarding this type of
>approach?Thanks,GeorgeSherwoodThesereferences describe the
>feature:http://testcover.com/pub/background/ecbecc.pdfhttp://testcover.com/pub/background/iwct2015.pdfhttp://testcover.com/pub/background/iwct2016.pdf 

Even with the best of intentions, this sounds fraught with potential security flaws.

What sorts of things do you want them to be able to do? Is it feasible to offer them basic building blocks which can be connected to each other, e.g. graphical programming style?


Thanks,
Ash

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
George Sherwood
Re: [PHP] PHP subset for user-defined functions
December 13, 2016 05:41AM
> On 2 December 2016 19:17:36 GMT+00:00, sherwood@testcover.com wrote:
>> Ihave developed and operated a Linux-Apache-MySQL-PHP service for
>> several years.A new feature requires support for simple, user-defined
>> functions, to returnvalues used by the service. Here, we’re talking
>> about front-end users on theinternet, with some vetting, and typically
>> with some software engineeringexperience. I’ve been thinking about
>> security and support issues of course.Currentplans are to offer a
>> subset of PHP for the user-defined functions: Submittedfunctions would
>> be scanned, and only allowed functions and keywords would besupported.
>> Variable functions would be disallowed, etc. Does anyone haveexperience
>> or advice regarding this type of
>> approach?Thanks,GeorgeSherwoodThesereferences describe the
>> feature:http://testcover.com/pub/background/ecbecc.pdfhttp://testcover.com/pub/background/iwct2015.pdfhttp://testcover.com/pub/background/iwct2016.pdf

> Even with the best of intentions, this sounds fraught with potential
> security flaws.

> What sorts of things do you want them to be able to do? Is it
> feasible to offer them basic building blocks which can be connected
> to each other, e.g. graphical programming style?


> Thanks,
> Ash

My apologies for the one-liner; I'm trying a different mailer now.

> Even with the best of intentions, this sounds fraught with potential
> security flaws.
Yes. This was my initial thought too. If you have specifics, I'd love
to hear them.
I have looked into vulnerabilities somewhat.

> What sorts of things do you want them to be able to do?
Here's an example. There are more in the PDFs cited above.

function Weight_boundary($Height,$BMI_boundary,$Input_limit) { /*
Weight boundary value function */
if($Height>0&&$BMI_boundary>0) {
$w_hi=ceil($Height*$Height*$BMI_boundary/703.06957964); /* round
up $w_hi so BMI >= $BMI_boundary */
switch($Input_limit) {
case 'min':
return($w_hi); /* return minimum integer value for higher BMI class */
case 'max':
$w_lo=$w_hi-1;
return $w_lo; /* return maximum integer value for lower BMI class */
}
}
}

> Is it feasible to offer them basic building blocks which can be
> connected to each other, e.g. graphical programming style?
I don't think so. The plan under consideration would use only the most basic,
safe internal functions.
BTW, I appreciate the power and flexibility of PHP. That's why I use it.
And I don't take the idea of limiting it lightly.

Best regards,
George


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
George Sherwood
Re: [PHP] PHP subset for user-defined functions
August 20, 2017 09:50PM
> > On 2 December 2016 19:17:36 GMT+00:00, sherwood@testcover.com wrote:
> > > Ihave developed and operated a Linux-Apache-MySQL-PHP service for
> > > several years.A new feature requires support for simple, user-defined
> > > functions, to returnvalues used by the service. Here, we’re talking
> > > about front-end users on theinternet, with some vetting, and typically
> > > with some software engineeringexperience. I’ve been thinking about
> > > security and support issues of course.Currentplans are to offer a
> > > subset of PHP for the user-defined functions: Submittedfunctions would
> > > be scanned, and only allowed functions and keywords would besupported..
> > > Variable functions would be disallowed, etc. Does anyone haveexperience
> > > or advice regarding this type of
> > > approach?Thanks,GeorgeSherwoodThesereferences describe the
> > >
> feature:http://testcover.com/pub/background/ecbecc.pdfhttp://testcover.com/pub/background/iwct2015.pdfhttp://testcover.com/pub/background/iwct2016.pdf
> > > > Even with the best of intentions, this sounds fraught with
> potential > security flaws.
>
> > What sorts of things do you want them to be able to do? Is it >
> feasible to offer them basic building blocks which can be connected
> > to each other, e.g. graphical programming style?
>
>
> > Thanks,
> > Ash
>
> My apologies for the one-liner; I'm trying a different mailer now.
>
> > Even with the best of intentions, this sounds fraught with
> potential > security flaws.
> Yes. This was my initial thought too. If you have specifics, I'd
> love to hear them.
> I have looked into vulnerabilities somewhat.
>
> > What sorts of things do you want them to be able to do?
> Here's an example. There are more in the PDFs cited above.
>
> function Weight_boundary($Height,$BMI_boundary,$Input_limit) { /*
> Weight boundary value function */
> if($Height>0&&$BMI_boundary>0) {
> $w_hi=ceil($Height*$Height*$BMI_boundary/703.06957964); /*
> round up $w_hi so BMI >= $BMI_boundary */
> switch($Input_limit) {
> case 'min':
> return($w_hi); /* return minimum integer value for higher
> BMI class */
> case 'max':
> $w_lo=$w_hi-1;
> return $w_lo; /* return maximum integer value for lower BMI
> class > */
> }
> }
> }
>
> > Is it feasible to offer them basic building blocks which can be >
> connected to each other, e.g. graphical programming style?
> I don't think so. The plan under consideration would use only the most basic,
> safe internal functions.
> BTW, I appreciate the power and flexibility of PHP. That's why I use it.
> And I don't take the idea of limiting it lightly.
>
> Best regards,
> George

Since the last post I continued with the original plan: Users of the embedded
functions feature submit user-defined functions containing a subset of PHP, to
limit support and security issues. The feature has been available since
2017-06-30 (to subscribers and friendly experts).

I would welcome feedback from this group. Examples of embedded functions and
their use are at http://testcover.com/pub/background/examples2017.php
The motivation for EFs is described in
http://testcover.com/pub/background/ecbecc.pdf

Best regards,
George


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Sorry, only registered users may post in this forum.

Click here to login