0

I am writing an application where I want to allow some users to write / run / test their code on my server, with some preloaded code from my application. I want these users to be able to work only in their directory and this task can be done with open_basedir();, but the problem is that if I want to include my application's code I get permission denied if the require or include is inside a function or a class so the file is not included before open_basedir was called.

Example : 

<?php

function test()
{
    require 'test.php';
}

test(); // ok

ini_set('open_basedir', 'users/username/');

test(); // permission denied

Is it possible somehow to allow "trusted" code of the application to be included but don't allow the user's code to access another directories? And if it is possible, give me an example or the main idea on how I can resolve this, even if this is not related to the open_basedir()

In my example, I would like to not have the permission denied. This will give me possibility to add some great features to my application.

Another Example : 

spl_autoload_register(function($class) {
    require $class . '.php';
});

ini_set('open_basedir', 'folder/');

new Test(); // Warning: require(): open_basedir restriction in effect.
John
  • 7,500
  • 16
  • 62
  • 95
  • do you realize you gave a relative file path to open_basedir? – goat Jun 07 '14 at 14:07
  • @rambocoder, yes, but this is just an example of what I am trying to do, in real code I will set absolute path – John Jun 07 '14 at 14:21

1 Answers1

0

Well, if there is no another solution, I will present my own.

I am sure that this is not the best way, but it works as expected.

First of all, all my users who will have the option to write/run their custom code will have to upload it to my server, or to write it on the website (then save), so I have to check the code only before save, with something that imitates a sandbox, with abstractization of my application. Next I will run that code in the sandbox (with modified open_basedir limitation) and if code has no fatal errors (and it have not modified another files in working directory [if modified, then these files will be also checked]) it will then be saved. After that user will have option to run the code in real application.

Cons :

  • Abstractization of entire application (on every change in application's structure)

Pros :

  • Allow third party code to access only files / functions / classes you want
  • Block features / methods unknown code should not access
  • Securely execute unknown code
  • No need to check code on every execution
  • No external libraries are required
John
  • 7,500
  • 16
  • 62
  • 95