PHP callbacks restrictions (was: About PHP callback)

Question

PHP callbacks restrictions (was: About PHP callback)

Opened this issue 9 years ago · 2 comments

PHP callback is great. But it has security problem when we are in shared environment where we offer users to create their own templates only without accessing PHP code.

Imagine how dangerous this code:
{{ php::exec("rm -rf /home") }}

It can be avoided by simply disabling PHP callback, but I think it is good idea to make new directive eg. blitz.allowed_php_functions and blitz.allowed_php_class

Answer 1 · 2015-06-25T09:44:25.000Z

I will keep this here, in general I agree with the feature but I will not have time to implement this in near future. Maybe create a quickfix to disable exec, or enable everything from a specific class/namespace. To be fair, I added callbacks just because "every template system has callbacks" but we (Badoo) never used that much. So any comments and ideas from other users on how to implement these restrictions are all welcomed and appreciated.

Answer 2 · 2015-08-12T15:16:01.000Z

It's easy. Just process user template on upload, searching for {{\s_[^:]+:: , and allow only the classes you allow specifically. Also, searching for {{\s_[^\(]+( will help you with finding 'generic' callbacks like {{exec(...)}}, then you may only allow 'q' here, and be safe.