Reputation: 97
How can I limit used functions in uploaded PHP file?
I'm trying to make a plugin system and the plugin contain PHP code.
I think if someone evil reach the area that upload this plugin he can upload evil code
so I want to limit the functions used in plugin file such as if there is eval() or base64_encode function the upload should fail.
I think this will be done by the regex, but I have no experiance with it.
So I want something like that
<?php
$file = 'plugin.php';
$content = file_get_contents($file);
if(file_is_secure($content)){
upload($file);
}else{
exit('evil');
}
?>
see this example
<?php
$content = file_get_contents('example.php');
preg_match_all("/(function )(\S*\(\S*\))/", $content, $matches);
foreach($matches[2] as $match) {
$function[] = "// " . trim($match) . "<br />\n";
}
natcasesort($function);
$functionlist .= "/* Functions in this file */<br />\n";
$functionlist .= "/**************************/<br />\n\n";
$functionlist .= implode('', $function);
echo $functionlist;
?>
i want one like this but for making a white list and not for use functions, but for the function it self " i mean function(); not function name(){}
Upvotes: 0
Views: 97
Answers (1)
Reputation: 212482
Take a look at the runkit extension for PHP. This allows you to remove or redefine PHP functions, and to execute PHP code within a sandbox environment.
Upvotes: 4
Related Questions
- PHP File Upload security
- php upload file restrictions
- What files to restrict in a PHP upload script?
- PHP Upload file enhance security
- How to protect from file upload attack in php?
- How to restrict file upload using PHP?
- PHP upload restriction
- How Can I Secure This PHP Upload Script
- Securing uploaded files in PHP
- Can I limit PHP to just the file it's in (stop abuse?)