php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #42116 Safe eval()
Submitted: 2007-07-26 20:56 UTC Modified: 2013-05-29 09:24 UTC
Votes:5
Avg. Score:4.4 ± 0.8
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:2 (40.0%)
From: kripper3 at hotmail dot com Assigned: maarten (profile)
Status: Closed Package: *General Issues
PHP Version: 5.2.3 OS: Irrelevant
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: kripper3 at hotmail dot com
New email:
PHP Version: OS:

 

 [2007-07-26 20:56 UTC] kripper3 at hotmail dot com 
Description:
------------
eval($code) makes it possible to execute PHP code.
It becames usefull when $code is provided dynamically (by the user of the application).
For example, in order to compute a math expression provided by the user via a Web Interface.
A lot of applications are using eval() this way.
The problem is that eval() is not safe, and makes it possible to inject code.
For example, instead of providing a math expression, I could provide code for listing files, get the content of the scripts and obtain hardcoded passwords.
On http://www.php.net/manual/en/function.eval.php#75389 someone proposed a parser to detect disallowed PHP functions, but since the evaled code can be very flexible (ie. "$a = 'un' . 'link'; $a('<file>')"), it seems the solution must be implemented in the engine.
In other words, there should be a secure sandbox eval() function, let's say "save_eval()".

I guess this could be difficult to implement.
Besides, the definition of "save" may be subjective.

I would define "save" as, at least, to not allow someone to do I/O operations (ie. read/write files, access URL's, etc.) and not access the applications code space (ie. change $GLOBALS, $_SESSION, $_SERVER, etc).

To day, to use eval() implies a security risk in almost any app. that uses this function. Besides, we are missing a BIG RED WARNING BOX in the documentation page to inform our PHP users. Therefore, it is a social bug.

Related "Bug":

http://bugs.php.net/bug.php?id=40722&edit=2

IMO, it's no serious answer, since OS privileges cannot avoid reading passwords in PHP scripts or inyecting:

$_SESSION['isAdmin'] = 'ok...let_me_hack_your_php_app')

Reproduce code:
---------------
eval(<any malicous code>)

or

save_eval(<any malicous code>)


Expected result:
----------------
ERROR: Evaled code cannot execute function '<disallowed function name>'

Actual result:
--------------
Irrelevant.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-09-07 15:56 UTC] cyko@php.net
-Package: Feature/Change Request +Package: *General Issues
 [2011-11-23 13:37 UTC] zyss at mail dot zp dot ua 
You should use arithmetic expressions parser instead of using eval() for such purposes, IMHO.

There are tons of such parsers for PHP and nothing prevents you from writing your own.

Exposing eval() to users is a very bad thing whatever filters are there.
 [2013-05-29 09:24 UTC] maarten@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: maarten
 [2013-05-29 09:24 UTC] maarten@php.net 
Whitelisting is always safer than blacklisting, so you should add a specific whitelist.

Instead of writing a whitelist for this specific usage (i.e. arethmetic), you'd just as well grab a specific parser made for the job. :)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Apr 24 10:01:28 2025 UTC