mirror of
https://github.com/sigmasternchen/php-doc-en
synced 2025-03-26 22:08:55 +00:00
96c9d88bad
git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@297028 c90b9560-bf6c-de11-be94-00142212c4b1
437 lines
13 KiB
XML
437 lines
13 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!-- $Revision$ -->
|
|
<!-- Generated by xml_proto.php v2.2. Found in /scripts directory of phpdoc. -->
|
|
<refentry xml:id="runkit.sandbox" xmlns="http://docbook.org/ns/docbook">
|
|
<refnamediv>
|
|
<refname>Runkit_Sandbox</refname>
|
|
<refpurpose>
|
|
Runkit Sandbox Class -- PHP Virtual Machine
|
|
</refpurpose>
|
|
</refnamediv>
|
|
<refsect1 role="description">
|
|
&reftitle.description;
|
|
|
|
<para>
|
|
Instantiating the <classname>Runkit_Sandbox</classname>
|
|
class creates a new thread with its own scope
|
|
and program stack. Using a set of options passed to the constructor, this environment
|
|
may be restricted to a subset of what the primary interpreter can do and provide a
|
|
safer environment for executing user supplied code.
|
|
</para>
|
|
|
|
¬e.runkit.sandbox;
|
|
</refsect1>
|
|
|
|
<refsect1 role="constructor">
|
|
<title>Constructor</title>
|
|
<methodsynopsis>
|
|
<type>void</type><methodname>Runkit_Sandbox::__construct</methodname>
|
|
<methodparam choice="opt"><type>array</type><parameter>options</parameter></methodparam>
|
|
</methodsynopsis>
|
|
|
|
<para>
|
|
<parameter>options</parameter> is an associative array containing
|
|
any combination of the special ini options listed below.
|
|
</para>
|
|
|
|
<para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><parameter>safe_mode</parameter></term>
|
|
<listitem>
|
|
<para>
|
|
If the outer script which is instantiating the
|
|
<classname>Runkit_Sandbox</classname> class
|
|
is configured with <literal>safe_mode = off</literal>, then safe_mode
|
|
may be turned on for the sandbox environment. This setting can not
|
|
be used to disable <literal>safe_mode</literal> when it's already
|
|
enabled in the outer script.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><parameter>safe_mode_gid</parameter></term>
|
|
<listitem>
|
|
<para>
|
|
If the outer script which is instantiating the
|
|
<classname>Runkit_Sandbox</classname> class
|
|
is configured with <literal>safe_mode_gid = on</literal>, then safe_mode_gid
|
|
may be turned off for the sandbox environment. This setting can not
|
|
be used to enable <literal>safe_mode_gid</literal> when it's already
|
|
disabled in the outer script.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><parameter>safe_mode_include_dir</parameter></term>
|
|
<listitem>
|
|
<para>
|
|
If the outer script which is instantiating the
|
|
<classname>Runkit_Sandbox</classname> class
|
|
is configured with a <literal>safe_mode_include_dir</literal>,
|
|
then a new safe_mode_include_dir may be set for sandbox environments
|
|
below the currently defined value. safe_mode_include_dir may also be
|
|
cleared to indicate that the bypass feature is disabled.
|
|
If safe_mode_include_dir was blank in the outer script, but safe_mode
|
|
was not enabled, then any arbitrary safe_mode_include_dir may be set
|
|
while turning safe_mode on.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><parameter>open_basedir</parameter></term>
|
|
<listitem>
|
|
<para>
|
|
<parameter>open_basedir</parameter> may be set to any path below the
|
|
current setting of <literal>open_basedir</literal>. If
|
|
<literal>open_basedir</literal> is not set within the global scope,
|
|
then it is assumed to be the root directory and may be set to any location.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><parameter>allow_url_fopen</parameter></term>
|
|
<listitem>
|
|
<para>
|
|
Like <parameter>safe_mode</parameter>, this setting can only be made more restrictive,
|
|
in this case by setting it to &false; when it is previously set to &true;
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><parameter>disable_functions</parameter></term>
|
|
<listitem>
|
|
<para>
|
|
Comma separated list of functions to disable within the sandbox sub-interpreter.
|
|
This list need not contain the names of the currently disabled functions,
|
|
they will remain disabled whether listed here or not.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><parameter>disable_classes</parameter></term>
|
|
<listitem>
|
|
<para>
|
|
Comma separated list of classes to disable within the sandbox sub-interpreter.
|
|
This list need not contain the names of the currently disabled classes,
|
|
they will remain disabled whether listed here or not.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><parameter>runkit.superglobal</parameter></term>
|
|
<listitem>
|
|
<para>
|
|
Comma separated list of variables to be treated as superglobals within the
|
|
sandbox sub-interpreter. These variables will be used in addition to any
|
|
variables defined internally or through the global runkit.superglobal setting.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><parameter>runkit.internal_override</parameter></term>
|
|
<listitem>
|
|
<para>
|
|
Ini option <literal>runkit.internal_override</literal> may be disabled
|
|
(but not re-enabled) within sandboxes.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</para>
|
|
|
|
<example>
|
|
<title>Instantiating a restricted sandbox</title>
|
|
<programlisting role="php">
|
|
<![CDATA[
|
|
<?php
|
|
$options = array(
|
|
'safe_mode'=>true,
|
|
'open_basedir'=>'/var/www/users/jdoe/',
|
|
'allow_url_fopen'=>'false',
|
|
'disable_functions'=>'exec,shell_exec,passthru,system',
|
|
'disable_classes'=>'myAppClass');
|
|
$sandbox = new Runkit_Sandbox($options);
|
|
/* Non-protected ini settings may set normally */
|
|
$sandbox->ini_set('html_errors',true);
|
|
?>
|
|
]]>
|
|
</programlisting>
|
|
</example>
|
|
</refsect1>
|
|
|
|
<refsect1 role="variables">
|
|
<title>Accessing Variables</title>
|
|
<para>
|
|
All variables in the global scope of the sandbox environment
|
|
are accessible as properties of the sandbox object.
|
|
The first thing to note is that because of the way memory
|
|
between these two threads is managed, object and resource
|
|
variables can not currently be exchanged between interpreters.
|
|
Additionally, all arrays are deep copied and any references
|
|
will be lost. This also means that references between
|
|
interpreters are not possible.
|
|
</para>
|
|
|
|
<example>
|
|
<title>Working with variables in a sandbox</title>
|
|
<programlisting role="php">
|
|
<![CDATA[
|
|
<?php
|
|
$sandbox = new Runkit_Sandbox();
|
|
|
|
$sandbox->foo = 'bar';
|
|
$sandbox->eval('echo "$foo\n"; $bar = $foo . "baz";');
|
|
echo "{$sandbox->bar}\n";
|
|
if (isset($sandbox->foo)) unset($sandbox->foo);
|
|
$sandbox->eval('var_dump(isset($foo));');
|
|
?>
|
|
]]>
|
|
</programlisting>
|
|
</example>
|
|
&example.outputs;
|
|
<screen>
|
|
<![CDATA[
|
|
bar
|
|
barbaz
|
|
bool(false)
|
|
]]>
|
|
</screen>
|
|
</refsect1>
|
|
|
|
<refsect1 role="functions">
|
|
<title>Calling PHP Functions</title>
|
|
<para>
|
|
Any function defined within the sandbox may be called as
|
|
a method on the sandbox object. This also includes a few
|
|
pseudo-function language constructs: <function>eval</function>,
|
|
<function>include</function>, <function>include_once</function>,
|
|
<function>require</function>, <function>require_once</function>,
|
|
<function>echo</function>, <function>print</function>,
|
|
<function>die</function>, and <function>exit</function>.
|
|
</para>
|
|
|
|
<example>
|
|
<title>Calling sandbox functions</title>
|
|
<programlisting role="php">
|
|
<![CDATA[
|
|
<?php
|
|
$sandbox = new Runkit_Sandbox();
|
|
|
|
echo $sandbox->str_replace('a','f','abc');
|
|
?>
|
|
]]>
|
|
</programlisting>
|
|
</example>
|
|
&example.outputs;
|
|
<screen>
|
|
<![CDATA[
|
|
fbc
|
|
]]>
|
|
</screen>
|
|
|
|
<para>
|
|
When passing arguments to a sandbox function, the arguments
|
|
are taken from the outer instance of PHP. If you wish to pass
|
|
arguments from the sandbox's scope, be sure to access them as
|
|
properties of the sandbox object as illustrated above.
|
|
</para>
|
|
|
|
<example>
|
|
<title>Passing arguments to sandbox functions</title>
|
|
<programlisting role="php">
|
|
<![CDATA[
|
|
<?php
|
|
$sandbox = new Runkit_Sandbox();
|
|
|
|
$foo = 'bar';
|
|
$sandbox->foo = 'baz';
|
|
echo $sandbox->str_replace('a',$foo,'a');
|
|
echo $sandbox->str_replace('a',$sandbox->foo,'a');
|
|
?>
|
|
]]>
|
|
</programlisting>
|
|
</example>
|
|
&example.outputs;
|
|
<screen>
|
|
<![CDATA[
|
|
bar
|
|
baz
|
|
]]>
|
|
</screen>
|
|
</refsect1>
|
|
|
|
<refsect1 role="settings">
|
|
<title>Changing Sandbox Settings</title>
|
|
<para>
|
|
As of runkit version 0.5, certain Sandbox settings may
|
|
be modified on the fly using ArrayAccess syntax.
|
|
Some settings, such as <parameter>active</parameter>
|
|
are read-only and meant to provide status information.
|
|
Other settings, such as <parameter>output_handler</parameter>
|
|
may be set and read much like a normal array offset.
|
|
Future settings may be write-only, however no such
|
|
settings currently exist.
|
|
</para>
|
|
|
|
<para>
|
|
<table>
|
|
<title>Sandbox Settings / Status Indicators</title>
|
|
<tgroup cols="4">
|
|
<thead>
|
|
<row>
|
|
<entry>Setting</entry>
|
|
<entry>Type</entry>
|
|
<entry>Purpose</entry>
|
|
<entry>Default</entry>
|
|
</row>
|
|
</thead>
|
|
<tbody>
|
|
<row>
|
|
<entry><literal>active</literal></entry>
|
|
<entry><type>Boolean</type> (Read Only)</entry>
|
|
<entry>
|
|
&true; if the Sandbox is still in a usable state,
|
|
&false; if the request is in bailout due to a
|
|
call to die(), exit(), or because of a fatal
|
|
error condition.
|
|
</entry>
|
|
<entry>&true; (Initial)</entry>
|
|
</row>
|
|
<row>
|
|
<entry><literal>output_handler</literal></entry>
|
|
<entry><type>Callback</type></entry>
|
|
<entry>
|
|
When set to a valid callback, all output generated
|
|
by the Sandbox instance will be processed through
|
|
the named function.
|
|
Sandbox output handlers follow the same calling
|
|
conventions as the system-wide output handler.
|
|
</entry>
|
|
<entry>None</entry>
|
|
</row>
|
|
<row>
|
|
<entry><literal>parent_access</literal></entry>
|
|
<entry><type>Boolean</type></entry>
|
|
<entry>
|
|
May the sandbox use instances of the
|
|
<classname>Runkit_Sandbox_Parent</classname> class?
|
|
Must be enabled for other
|
|
<classname>Runkit_Sandbox_Parent</classname>
|
|
related settings to work.
|
|
</entry>
|
|
<entry>&false;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><literal>parent_read</literal></entry>
|
|
<entry><type>Boolean</type></entry>
|
|
<entry>
|
|
May the sandbox read variables in its parent's context?
|
|
</entry>
|
|
<entry>&false;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><literal>parent_write</literal></entry>
|
|
<entry><type>Boolean</type></entry>
|
|
<entry>
|
|
May the sandbox modify variables in its parent's context?
|
|
</entry>
|
|
<entry>&false;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><literal>parent_eval</literal></entry>
|
|
<entry><type>Boolean</type></entry>
|
|
<entry>
|
|
May the sandbox evaluate arbitrary code in its
|
|
parent's context? <emphasis>DANGEROUS</emphasis>
|
|
</entry>
|
|
<entry>&false;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><literal>parent_include</literal></entry>
|
|
<entry><type>Boolean</type></entry>
|
|
<entry>
|
|
May the sandbox include php code files in its
|
|
parent's context? <emphasis>DANGEROUS</emphasis>
|
|
</entry>
|
|
<entry>&false;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><literal>parent_echo</literal></entry>
|
|
<entry><type>Boolean</type></entry>
|
|
<entry>
|
|
May the sandbox echo data in its parent's context
|
|
effectively bypassing its own output_handler?
|
|
</entry>
|
|
<entry>&false;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><literal>parent_call</literal></entry>
|
|
<entry><type>Boolean</type></entry>
|
|
<entry>
|
|
May the sandbox call functions in its
|
|
parent's context?
|
|
</entry>
|
|
<entry>&false;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><literal>parent_die</literal></entry>
|
|
<entry><type>Boolean</type></entry>
|
|
<entry>
|
|
May the sandbox kill its own parent? (And thus itself)
|
|
</entry>
|
|
<entry>&false;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><literal>parent_scope</literal></entry>
|
|
<entry><type>Integer</type></entry>
|
|
<entry>
|
|
What scope will parental property access look at?
|
|
0 == Global scope, 1 == Calling scope,
|
|
2 == Scope preceeding calling scope,
|
|
3 == The scope before that, etc..., etc...
|
|
</entry>
|
|
<entry><literal>0</literal> (Global)</entry>
|
|
</row>
|
|
<row>
|
|
<entry><literal>parent_scope</literal></entry>
|
|
<entry><type>String</type></entry>
|
|
<entry>
|
|
When <literal>parent_scope</literal> is set to
|
|
a string value, it refers to a named array variable
|
|
in the global scope. If the named variable does not
|
|
exist at the time of access it will be created as an
|
|
empty array. If the variable exists but it not an array,
|
|
a dummy array will be created containing a reference
|
|
to the named global variable.
|
|
</entry>
|
|
<entry></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|
|
|
|
<!-- Keep this comment at the end of the file
|
|
Local variables:
|
|
mode: sgml
|
|
sgml-omittag:t
|
|
sgml-shorttag:t
|
|
sgml-minimize-attributes:nil
|
|
sgml-always-quote-attributes:t
|
|
sgml-indent-step:1
|
|
sgml-indent-data:t
|
|
indent-tabs-mode:nil
|
|
sgml-parent-document:nil
|
|
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
|
|
sgml-exposed-tags:nil
|
|
sgml-local-catalogs:nil
|
|
sgml-local-ecat-files:nil
|
|
End:
|
|
vim600: syn=xml fen fdm=syntax fdl=2 si
|
|
vim: et tw=78 syn=sgml
|
|
vi: ts=1 sw=1
|
|
-->
|