I’ve been thinking for a while about the idea of allowing user to inject code on website and run it on a web server. It’s not a new idea – many websites allow users to “test” their code online – such as http://ideone.com/.
For example: Let’s say that we have a form containing <textarea> element in which that user enters his piece of code and then submits it. Server reads POST data, saves as PHP file and require()s it while being surrounded by ob_*() output buffering handlers. Captured output is presented to end user.
My question is: how to do it properly? Things that we should take into account [and possible solutions]:
- security, user is not allowed to do anything evil,
- php.ini’s disable_functions
- stability, user is not allowed to kill webserver submitting while(true){},
- performance, server returns answer in an acceptable time,
- control, user can do anything that matches previous points.
I would prefer PHP-oriented answers, but general approach is also welcome. Thank you in advance.
I would think about this problem one level higher, above and outside of the web server. Have a very unprivileged, jailed, chroot’ed standalone process for running these uploaded PHP scripts, then it doesn’t matter what PHP functions are enabled or not, they will fail based on permissions and lack of access.
Have a parent process that monitors how long the above mentioned “worker” process has been running, if its been too long, kill it, and report back a timeout error to the end user.
Obviously there are many implementation details to work out as to how to run this system asynchronously outside of the browser request, but I think it would provide a pretty secure way to run your untrusted PHP scripts.