Compare commits
3 Commits
8e3d97aa7f
...
d7c89275e7
Author | SHA1 | Date | |
---|---|---|---|
d7c89275e7 | |||
2bfc7a0dcd | |||
6a6f71cf10 |
170
MD_JAIL.php
Normal file
170
MD_JAIL.php
Normal file
|
@ -0,0 +1,170 @@
|
||||||
|
<?PHP
|
||||||
|
/**
|
||||||
|
* Provides class MD_JAIL.
|
||||||
|
*/
|
||||||
|
declare(strict_types = 1);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A class that, once initialized, forces the programmer to make security instructions implicit.
|
||||||
|
* If an object of the class has been created, not specifying security instructions
|
||||||
|
* leads to an error.
|
||||||
|
* A restriction on basic file operations is not practical in an md context because of
|
||||||
|
* the way transations are loaded through MDTlLoader.
|
||||||
|
*/
|
||||||
|
final class MD_JAIL {
|
||||||
|
|
||||||
|
const STATUS_NONE = 0;
|
||||||
|
const STATUS_STARTED = 1;
|
||||||
|
const STATUS_SPECIFIED = 2; // Determines that everything is fine.
|
||||||
|
|
||||||
|
/** @var integer */
|
||||||
|
private int $_status = self::STATUS_NONE;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var integer
|
||||||
|
* Maximum execution time in seconds.
|
||||||
|
*/
|
||||||
|
public int $max_execution_time;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var string[]
|
||||||
|
* Specifies which paths may be used by this script.
|
||||||
|
*/
|
||||||
|
private array $_open_basedir = [];
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var string
|
||||||
|
* Specifies the maximum RAM the script may use.
|
||||||
|
*/
|
||||||
|
public string $memory_limit;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Registers an additional accessible directory for open_basedir.
|
||||||
|
*
|
||||||
|
* @param string $dir Directory to register.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function register_accessible_dir(string $dir):void {
|
||||||
|
|
||||||
|
$this->_open_basedir[] = $dir;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Applies the memory limit setting.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
private function _apply_memory_limit():void {
|
||||||
|
|
||||||
|
if (!isset($this->memory_limit)) {
|
||||||
|
throw new MDJailSecurityOptionNotSetException("It has not been specified, which memory limit the script should hold. Set MD_JAIL->memory_limit = string.");
|
||||||
|
}
|
||||||
|
if (ini_set("memory_limit", $this->memory_limit) === false) {
|
||||||
|
throw new Exception('Failed to change memory_limit to ' . $this->memory_limit);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Applies the maximum execution time setting.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
private function _apply_time_limit():void {
|
||||||
|
|
||||||
|
if (!isset($this->max_execution_time)) {
|
||||||
|
throw new MDJailSecurityOptionNotSetException("It has not been specified, which maximum execution time the script should hold. Set MD_JAIL->max_execution_time = integer.");
|
||||||
|
}
|
||||||
|
if (set_time_limit($this->max_execution_time) === false) {
|
||||||
|
throw new Exception('Failed to change max_execution_time to ' . $this->max_execution_time);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Applies basedir restrictions.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
private function _apply_basedir_restriction():void {
|
||||||
|
|
||||||
|
if (empty($this->_open_basedir)) {
|
||||||
|
throw new MDJailSecurityOptionNotSetException("It has not been specified, which memory limit the script should hold. Set MD_JAIL->open_basedir = string.");
|
||||||
|
}
|
||||||
|
if (ini_set("open_basedir", implode(':', $this->_open_basedir)) === false) {
|
||||||
|
throw new Exception('Failed to set open_basedir restrictions');
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enforces security options previously set.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function enforce():void {
|
||||||
|
|
||||||
|
// Special instructions on CLI, so as to not disturb PHPUnit
|
||||||
|
if (PHP_SAPI === 'cli') {
|
||||||
|
|
||||||
|
if (!isset($this->memory_limit)) {
|
||||||
|
throw new MDJailSecurityOptionNotSetException("It has not been specified, which memory limit the script should hold. Set MD_JAIL->memory_limit = string.");
|
||||||
|
}
|
||||||
|
if (!isset($this->max_execution_time)) {
|
||||||
|
throw new MDJailSecurityOptionNotSetException("It has not been specified, which maximum execution time the script should hold. Set MD_JAIL->max_execution_time = integer.");
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->_status = self::STATUS_SPECIFIED;
|
||||||
|
$this->__destruct();
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->_apply_memory_limit();
|
||||||
|
$this->_apply_time_limit();
|
||||||
|
|
||||||
|
// Set accessible file paths
|
||||||
|
// $this->_apply_basedir_restriction();
|
||||||
|
|
||||||
|
$this->_status = self::STATUS_SPECIFIED;
|
||||||
|
$this->__destruct();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Setup function. Registers a shutdown function that throws an error
|
||||||
|
* if the security specifications have not been made.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function __construct() {
|
||||||
|
|
||||||
|
$this->_status = self::STATUS_STARTED;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
public function __destruct() {
|
||||||
|
|
||||||
|
if ($this->_status !== self::STATUS_SPECIFIED) {
|
||||||
|
|
||||||
|
echo "Security specifications need to be set.";
|
||||||
|
|
||||||
|
if (!isset($this->memory_limit)) {
|
||||||
|
echo "Set memory limit";
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!isset($this->max_execution_time)) {
|
||||||
|
echo "Set max_execution_time";
|
||||||
|
}
|
||||||
|
|
||||||
|
if (empty($this->_open_basedir)) {
|
||||||
|
echo "Set open_basedir";
|
||||||
|
}
|
||||||
|
|
||||||
|
throw new MDJailSecurityOptionNotSetException("Security specifications need to be set.");
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
21
exceptions/MDJailSecurityOptionNotSetException.php
Normal file
21
exceptions/MDJailSecurityOptionNotSetException.php
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
<?PHP
|
||||||
|
declare(strict_types = 1);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Exception thrown by MDJail if a required security option has not been set.
|
||||||
|
*/
|
||||||
|
final class MDJailSecurityOptionNotSetException extends Exception {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Error message.
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function errorMessage() {
|
||||||
|
//error message
|
||||||
|
$errorMsg = 'A security option of MD_JAIL has not been set: <b>' . $this->getMessage() . '</b>).';
|
||||||
|
return $errorMsg;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user