Mantis Bugtracker
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0002072 [Quercus] minor always 10-16-07 11:18 09-05-08 13:29
Reporter ferg View Status public  
Assigned To ferg
Priority normal Resolution fixed  
Status closed   Product Version 3.1.3
Summary 0002072: Quercus security enhancements as a scripting language
Description First, let me say you guys have done a great job with Quercus, and I'm very impressed. I've crawled through the code quite a bit, and it's extremely well-written and logical. Very easy to understand. Amazing work!

I'm developing an application where we hope to embed PHP as a templating language (i.e., what it was originally intended to be). The interesting bit is that PHP has developed into this increadibly insecure monstrosity. As in, you can develop PHP applications that are secure, but as a templating language (where the user can define any template he/she wants) it is an absolute horror show.

After looking at Quercus, it seems fairly obvious how we can lock down an embedded PHP solution. Please correct me if I'm wrong, but by modifying the files:

META-INF/services/com.caucho.quercus.QuercusClass
META-INF/services/com.caucho.quercus.QuercusModule

I can easily eliminate the unsafe modules and classes (basically File/DB/URL/Socket I/O).

If I'm wrong in this, please let me know. Also, others may have similar needs. You may want to think about adding in some bits of code that would allow a developer to programatically manipulate the function/class tables, or create a fresh quercus instance and then load modules manually.

A simple solution seems to be in com.caucho.quercus.script.QuercusScriptEngine:

QuercusScriptEngine(QuercusScriptEngineFactory factory)
{
_factory = factory;
_quercus = new Quercus();
}

adding a public constructor like:

public QuercusScriptEngine(QuercusScriptEngineFactory factory, Quercus quercus)
{
_factory = factory;
_quercus = quercus;
}

would probably get about halfway there actually. Then a developer can extend Quercus to provide their own custom loading behavior. I may submit a patch down the road if you guys are interested in this.
Additional Information
Attached Files

- Relationships

There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
10-16-07 11:18 ferg New Issue
09-05-08 13:29 ferg Assigned To  => ferg
09-05-08 13:29 ferg Status new => closed
09-05-08 13:29 ferg Resolution open => fixed
09-05-08 13:29 ferg Fixed in Version  => 3.2.1
09-05-08 13:29 ferg Description Updated


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
27 total queries executed.
24 unique queries executed.
Powered by Mantis Bugtracker