📄 runkit.sandbox.html
字号:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html> <head> <title>Runkit Sandbox Class -- PHP Virtual Machine</title> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <body><div style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="ref.runkit.html">runkit Functions</a></div> <div class="next" style="text-align: right; float: right;"><a href="runkit.sandbox-parent.html">Runkit_Sandbox_Parent</a></div> <div class="up"><a href="ref.runkit.html">runkit Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div></div><hr /><div id="runkit.sandbox" class="refentry"> <div class="refnamediv"> <h1 class="refname">Runkit_Sandbox</h1> <p class="verinfo">(No version information available, might be only in CVS)</p><p class="refpurpose"><span class="refname">Runkit_Sandbox</span> — <span class="dc-title"> Runkit Sandbox Class -- PHP Virtual Machine </span></p> </div> <div class="refsect1 description"> <h3 class="title">Description</h3> <p class="para"> Instantiating the <b class="classname">Runkit_Sandbox</b> class creates a new thread with its own scope and program stack. Using a set of options passed to the constructor, this environment may be restricted to a subset of what the primary interpreter can do and provide a safer environment for executing user supplied code. </p> <blockquote><p><b class="note">Note</b>: <span class="simpara">Sandbox support (required for<a href="function.runkit-lint.html" class="function">runkit_lint()</a>, <a href="function.runkit-lint-file.html" class="function">runkit_lint_file()</a>,and the <b class="classname">Runkit_Sandbox</b> class) is only available as ofPHP 5.1.0 or specially patched versions of PHP 5.0, and requires that threadsafety be enabled.See the <var class="filename">README</var> file included in the runkit package formore information.</span></p></blockquote> </div> <div class="refsect1 constructor"> <h3 class="title">Constructor</h3> <div class="methodsynopsis dc-description"> <span class="type"><span class="type void">void</span></span> <span class="methodname"><b><b>Runkit_Sandbox::__construct</b></b></span> ([ <span class="methodparam"><span class="type">array</span> <tt class="parameter">$options</tt></span> ] )</div> <p class="para rdfs-comment"> <i><tt class="parameter">options</tt></i> is an associative array containing any combination of the special ini options listed below. </p> <p class="para"> <dl> <dt> <span class="term"><i><tt class="parameter">safe_mode</tt></i></span> <dd> <p class="para"> If the outer script which is instantiating the <b class="classname">Runkit_Sandbox</b> class is configured with <i>safe_mode = off</i>, then safe_mode may be turned on for the sandbox environment. This setting can not be used to disable <i>safe_mode</i> when it's already enabled in the outer script. </p> </dd> </dt> <dt> <span class="term"><i><tt class="parameter">safe_mode_gid</tt></i></span> <dd> <p class="para"> If the outer script which is instantiating the <b class="classname">Runkit_Sandbox</b> class is configured with <i>safe_mode_gid = on</i>, then safe_mode_gid may be turned off for the sandbox environment. This setting can not be used to enable <i>safe_mode_gid</i> when it's already disabled in the outer script. </p> </dd> </dt> <dt> <span class="term"><i><tt class="parameter">safe_mode_include_dir</tt></i></span> <dd> <p class="para"> If the outer script which is instantiating the <b class="classname">Runkit_Sandbox</b> class is configured with a <i>safe_mode_include_dir</i>, then a new safe_mode_include_dir may be set for sandbox environments below the currently defined value. safe_mode_include_dir may also be cleared to indicate that the bypass feature is disabled. If safe_mode_include_dir was blank in the outer script, but safe_mode was not enabled, then any arbitrary safe_mode_include_dir may be set while turning safe_mode on. </p> </dd> </dt> <dt> <span class="term"><i><tt class="parameter">open_basedir</tt></i></span> <dd> <p class="para"> <i><tt class="parameter">open_basedir</tt></i> may be set to any path below the current setting of <i>open_basedir</i>. If <i>open_basedir</i> is not set within the global scope, then it is assumed to be the root directory and may be set to any location. </p> </dd> </dt> <dt> <span class="term"><i><tt class="parameter">allow_url_fopen</tt></i></span> <dd> <p class="para"> Like <i><tt class="parameter">safe_mode</tt></i>, this setting can only be made more restrictive, in this case by setting it to <b><tt>FALSE</tt></b> when it is previously set to <b><tt>TRUE</tt></b> </p> </dd> </dt> <dt> <span class="term"><i><tt class="parameter">disable_functions</tt></i></span> <dd> <p class="para"> Comma separated list of functions to disable within the sandbox sub-interpreter. This list need not contain the names of the currently disabled functions, they will remain disabled whether listed here or not. </p> </dd> </dt> <dt> <span class="term"><i><tt class="parameter">disable_classes</tt></i></span> <dd> <p class="para"> Comma separated list of classes to disable within the sandbox sub-interpreter. This list need not contain the names of the currently disabled classes, they will remain disabled whether listed here or not. </p> </dd> </dt> <dt> <span class="term"><i><tt class="parameter">runkit.superglobal</tt></i></span> <dd> <p class="para"> Comma separated list of variables to be treated as superglobals within the sandbox sub-interpreter. These variables will be used in addition to any variables defined internally or through the global runkit.superglobal setting. </p> </dd> </dt> <dt> <span class="term"><i><tt class="parameter">runkit.internal_override</tt></i></span> <dd> <p class="para"> Ini option <i>runkit.internal_override</i> may be disabled (but not re-enabled) within sandboxes. </p> </dd> </dt> </dl> </p> <div class="example"> <p><b>Example #1 Instantiating a restricted sandbox</b></p> <div class="example-contents"><div class="phpcode"><code><span style="color: #000000"><span style="color: #0000BB"><?php<br />$options </span><span style="color: #007700">= array(<br /> </span><span style="color: #DD0000">'safe_mode'</span><span style="color: #007700">=></span><span style="color: #0000BB">true</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">'open_basedir'</span><span style="color: #007700">=></span><span style="color: #DD0000">'/var/www/users/jdoe/'</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">'allow_url_fopen'</span><span style="color: #007700">=></span><span style="color: #DD0000">'false'</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">'disable_functions'</span><span style="color: #007700">=></span><span style="color: #DD0000">'exec,shell_exec,passthru,system'</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">'disable_classes'</span><span style="color: #007700">=></span><span style="color: #DD0000">'myAppClass'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$sandbox </span><span style="color: #007700">= new </span><span style="color: #0000BB">Runkit_Sandbox</span><span style="color: #007700">(</span><span style="color: #0000BB">$options</span><span style="color: #007700">);<br /></span><span style="color: #FF8000">/* Non-protected ini settings may set normally */<br /></span><span style="color: #0000BB">$sandbox</span><span style="color: #007700">-></span><span style="color: #0000BB">ini_set</span><span style="color: #007700">(</span><span style="color: #DD0000">'html_errors'</span><span style="color: #007700">,</span><span style="color: #0000BB">true</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?></span></span></code></div> </div> </div> </div> <div class="refsect1 variables"> <h3 class="title">Accessing Variables</h3> <p class="para"> All variables in the global scope of the sandbox environment are accessible as properties of the sandbox object. The first thing to note is that because of the way memory between these two threads is managed, object and resource variables can not currently be exchanged between interpreters. Additionally, all arrays are deep copied and any references will be lost. This also means that references between interpreters are not possible. </p> <div class="example"> <p><b>Example #2 Working with variables in a sandbox</b></p> <div class="example-contents"><div class="phpcode"><code><span style="color: #000000"><span style="color: #0000BB"><?php<br />$sandbox </span><span style="color: #007700">= new </span><span style="color: #0000BB">Runkit_Sandbox</span><span style="color: #007700">();<br /><br /></span><span style="color: #0000BB">$sandbox</span><span style="color: #007700">-></span><span style="color: #0000BB">foo </span><span style="color: #007700">= </span><span style="color: #DD0000">'bar'</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$sandbox</span><span style="color: #007700">-></span><span style="color: #0000BB">eval</span><span style="color: #007700">(</span><span style="color: #DD0000">'echo "$foo\n"; $bar = $foo . "baz";'</span><span style="color: #007700">);<br />echo </span><span style="color: #DD0000">"{$sandbox->bar}\n"</span><span style="color: #007700">;<br />if (isset(</span><span style="color: #0000BB">$sandbox</span><span style="color: #007700">-></span><span style="color: #0000BB">foo</span><span style="color: #007700">)) unset(</span><span style="color: #0000BB">$sandbox</span><span style="color: #007700">-></span><span style="color: #0000BB">foo</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$sandbox</span><span style="color: #007700">-></span><span style="color: #0000BB">eval</span><span style="color: #007700">(</span><span style="color: #DD0000">'var_dump(isset($foo));'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?></span></span>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -