Writing a PHP plugin system with limited system access

Question

So I'm thinking of building a CMS, sort of, and I'd like it to be designed so that plugins can extend its functionality easily (I'm working on a hook system and language setup as well).

Here's the tricky part: rather than an individually packaged CMS, I'm trying to make a sort of host for many sites (e.g. mycms.com/your-site).

I'm designing the MySQL database with a structure like this:

pages
 - id
 - slug
 - title
 - content
 - site // The site id
sites
 - id
 - path // e.g. your-site
 - password // hash

Then I'll store plugins like this in the file structure:

plugins/
  42/   // Site id
    hello-world/   // plugin name
      hello-world.php
      functions.php
      css/   // ...

Of course, there's a critical security problem here. Say a plugin author codes hello-world.php like so:

<?php
 include '../../../core/config.inc.php';
 echo $config['mysql']['password']; // Now they have my server's database password!
?>

How do I circumvent something like this? How can I control it so that hello-world.php only has access to files within the directory hello-world/ and nothing above it? Essentially, I want to ban plugins from accessing files outside of their own directory.

This must be simple, right?

Thanks!

Answer 1

Please consider that this plugins will run in the cms process eventually, so malicious plugin autor can scrape data even from the process global scope. Your cms will most probably include at some point the config.php, doing so means the settings are now in the global scope and can be read by any code. You may circumvent this by storing the settings in a function eg. You access this settings by asking the return value of a function and invent some locking mechanism on the function calls.