{
    "href": "/post/2004/12/17/restrictive-secure-compiler-for-savant/",
    "relId": "2004/12/17/restrictive-secure-compiler-for-savant",
    "title": "Restrictive (\"Secure\") Compiler for Savant",
    "author": "pmjones",
    "markup": "html",
    "tags": [
        {
            "href": "/tag/php/",
            "relId": "php",
            "title": "PHP",
            "author": null,
            "created": null,
            "updated": [],
            "markup": "markdown"
        }
    ],
    "created": "2004-12-17 17:10:09 UTC",
    "updated": [
        "2004-12-17 17:10:09 UTC"
    ],
    "html": "<p><a href=\"http://phpsavant.com/yawiki/index.php?page=SecureCompiler\">This page</a> is to track issues related to the new \"secure\" compiler for Savant.  A number of people (notably and most recently <a href=\"http://revjim.net/comments/10171\">RevJim</a>) have opined that Savant needs a decent secure compiler so that untrusted users can be allowed to edit templates.  I agree.</p>\n<p><strong>Note:</strong> The compiler is not a required element.  The normal use of Savant remains; that is, PHP itself is the template markup.  The only time you really need to compile a template is when you have anonymous or otherwise possibly mailicious users, and this compiler exists to support that relatively rare case.</p>\n<p>So the idea now is to replace the existing \"basic\" compiler with a more-secure version; you can <a href=\"http://phpsavant.com/Savant2_Compiler_basic.phps\">view the source code here</a>.  Note that it depends on Josh Eichorn's excellent <a href=\"http://bluga.net/projects/PHPCodeAnalyzer/\">PHPCodeAnalyzer</a> script, which itself depends on the tokenizer function in PHP 4.3.0 and later.</p>\n<p>I don't know if I like calling the new compiler \"secure\" or not, but it sure is restrictive.  Here are the built-in restrictions and features:</p>\n<ul>\n<li>The markup language is PHP in most cases, just surrounded in non-PHP tags</li>\n<li>Prefix and suffix tags default to \"{\" and \"}\", but are user-definable.</li>\n<li>No &lt;?php ... ?&gt; or &lt;? ... ?&gt; tags allowed</li>\n<li>Simple variable echoing via {$var}</li>\n<li>Comments via {* ... *}</li>\n<li>Control structures are regular PHP ( {if (...):}, {else}, {foreach (...):}, etc)</li>\n<li>No support for switch/case, but break and continue are allowed</li>\n<li>Plugins supported via {['pluginName', 'arg1', $arg2, ... ]}</li>\n<li>Certain language constructs are disallowed:  eval, global, include[_once], require[_once], parent, self</li>\n<li>The only way to include other templates is via the {tpl} tag</li>\n<li>If the Savant $_restrict flag is on, template requests are restricted to specific allowed paths</li>\n<li>Access to superglobals ($GLOBALS, $_GET, etc) is disallowed</li>\n<li>Access to private $this properties is disallowed</li>\n<li>Variable-variables and variable-functions are disallowed</li>\n<li>Only whitelisted functions are allowed (the whitelist is user-definable)</li>\n<li>Only whitelisted static method calls are allowed (the whitelist is user-definable)</li>\n<li>Use of $this by itself is disallowed; it must be followed by -&gt; (e.g., \"$this\" generates an error, but \"$this_thing\" and \"$this-&gt;property\" are allowed)</li>\n</ul>\n<p>I think that's it.  If the compile generates errors, the compiled script is not saved and the compiler returns a list of restriction violations with line numbers (the number correspond to both the source template and the compiled template becuase the markup language is <strong>very</strong> close to native PHP).</p>\n<p>Comments? Questions?  Have I forgotten to take something into account?  It's only been a week, so I am sure to have missed some form of sneakiness.</p>\n"
}