-1

Does anyone have a prepared whitelist of as many as possible secure / unexploitable PHP functions?

I am building a web application where user enters the Smarty template (Smarty version 3). Application runs this template through Smarty (with proper Smarty_Security in place) and then cleans the resulting HTML with HTMLPurifier.

Everything seems safe to me, but the users need functions so they can be used as Smarty modifiers. I can whitelist them one by one, but it would take a lot of effort and would be error-prone. I have only found a blacklist - Exploitable PHP functions.

This is a somewhat similar question, but there are no suitable answers (for my case).

4

2 に答える 2

2

Smarty_Securityで始まる

$php_functions = array(
    'isset', 'empty',
    'count', 'sizeof',
    'in_array', 'is_array',
    'time',
    'nl2br',
);

数学およびその他の日付と配列に関する(おそらく安全な)演算を追加します。

$php_functions = array(
    'isset', 'empty',
    'count', 'sizeof',
    'in_array', 'is_array', 'join', 'explode'
    'time', 'date', 'strtotime', 'strftime'
    'nl2br',
    'intval', 'floatval', 'rand', 'srand', 
    'log', 'log10', 'pi', 'pow', 'sqrt', 'exp', 
    'floor', 'ceil', 'round', 'min', 'max', 'abs',
    'sin', 'cos', 'tan', 'atan', 'atan2',
);
于 2012-04-19T10:23:28.663 に答える
2

あなたはその素晴らしいトピックを見ましたか? 悪用可能なPHP関数

したがって、許可された関数のリストと危険な関数のリストの間に「array_diff」を作成できます。

于 2012-05-11T10:23:21.053 に答える