普通网友 2014-04-17 10:20
浏览 53

使用PHP eval合成动态类时有哪些风险?

I was reading : When (if ever) is eval NOT evil? and a few others guides on the net when to use eval and when not. None of this posts could really answer my question about security concerns in regard of dynamic class compositing at run-time.

Background : As we can't use PHP 5.4 traits to properly mixin in classes into each other, we needed another solution to get dynamic mixins. So we found this particular class on on Github : https://github.com/wellspringworldwide/PHP-ClassMixer/blob/master/ClassMixer.php which does exactly what we want.

I am not really an expert to evaluate such code in regard of potential security risks but maybe somebody on Stackoverflow knows what the risks are of such methods.

As far I understood, the base for security concerns with this method of using eval for class composition are only given when

  1. The class to be mixed into another class is accessible and modifiable from outside, for instance file or RPC access
  2. A user can gain access to the running context, ie, the surrounding code loads plugin code
  3. A user gains access to the applications working memory and alters data there.

None of these circumstances are given in our application but I am not sure there are other conditions we need to think about when using eval that way !?

thank you.

  • 写回答

1条回答 默认 最新

  • duandu8202 2014-04-17 12:08
    关注

    Eval basically is bad because it's eval() :D

    No seriously:

    You should NEVER compose some source and throw it into eval. As soon as your script composing the source has any dependent data sources like a DB backend, the file system reading (especially text-)files or (even worse) some form data there's always the chance of invasive and damaging code being injected. (e.g. ;exec('rm -rf /');)

    Using the Decorator Pattern might help you out. Please read this and that as a primer to understanding the Decorator Pattern.

    评论

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题