Mantis - Quercus
Viewing Issue Advanced Details
2072 minor always 10-16-07 11:18 09-05-08 13:29
ferg  
ferg  
normal  
closed 3.1.3  
fixed  
none    
none 3.2.1  
0002072: Quercus security enhancements as a scripting language
First, let me say you guys have done a great job with Quercus, and I'm very impressed. I've crawled through the code quite a bit, and it's extremely well-written and logical. Very easy to understand. Amazing work!

I'm developing an application where we hope to embed PHP as a templating language (i.e., what it was originally intended to be). The interesting bit is that PHP has developed into this increadibly insecure monstrosity. As in, you can develop PHP applications that are secure, but as a templating language (where the user can define any template he/she wants) it is an absolute horror show.

After looking at Quercus, it seems fairly obvious how we can lock down an embedded PHP solution. Please correct me if I'm wrong, but by modifying the files:

META-INF/services/com.caucho.quercus.QuercusClass
META-INF/services/com.caucho.quercus.QuercusModule

I can easily eliminate the unsafe modules and classes (basically File/DB/URL/Socket I/O).

If I'm wrong in this, please let me know. Also, others may have similar needs. You may want to think about adding in some bits of code that would allow a developer to programatically manipulate the function/class tables, or create a fresh quercus instance and then load modules manually.

A simple solution seems to be in com.caucho.quercus.script.QuercusScriptEngine:

QuercusScriptEngine(QuercusScriptEngineFactory factory)
{
_factory = factory;
_quercus = new Quercus();
}

adding a public constructor like:

public QuercusScriptEngine(QuercusScriptEngineFactory factory, Quercus quercus)
{
_factory = factory;
_quercus = quercus;
}

would probably get about halfway there actually. Then a developer can extend Quercus to provide their own custom loading behavior. I may submit a patch down the road if you guys are interested in this.

There are no notes attached to this issue.