There are many obvious advantages of running compiled PHP on .NET, such as higher performance, using .NET libraries and services or being able to develop cross-platform applications. This article will try to introduce a more subtle benefit that may be harder to grasp, but is one of the most compelling ones: security.
Underrated, but all the more powerful
Some reasons why we went on the journey of developing a PHP compiler and runtime to .NET on top of Microsoft Roslyn are quickly understood or easy to show. Performance, for instance, can easily be measured, compared and depicted in a diagram. The advantage of accessing the vast array of amazing .NET libraries, functionalities or diagnostics is also simple enough to show and the possibility of developing cross-platform apps becomes apparent as soon as one sees PHP running on a tablet or iPhone.
Security, however, is much harder to pinpoint, as it cannot be visualized. Nevertheless, it is one of the most compelling benefits of compiling PHP with Peachpie, because it has the potential to plug some of the most blatant holes in one of the most popular development languages in the world.
As we continue on our quest to equip Peachpie with all the necessary functionalities to run a real-world application such as WordPress, we stumbled across one of the potentially dangerous constructs in PHP.
Treading in dangerous waters
It is not a massive revelation that PHP can tend to have inadequate security. Due to the very nature of the language, one of the great shortcomings of PHP is that external parties can upload files onto one’s server, and if there aren’t sufficient precautionary measures in the code, hackers can potentially upload malicious files that can do some serious damage. See our case study on how US company AMain.com suffered a nearly devastating blow when hackers exploited a vulnerability in one of the site’s extensions in order to dump code onto the system, getting full access to the company’s database. This leak was plugged, however, with Phalanger, the predecessor of Peachpie, by simply compiling the source code to a .DLL file.
Many would say the security of PHP can be accurately reflected by the following picture:
Don’t take this joke too seriously, it’s not all that bad. But it is nonetheless very interesting to keep implementing PHP constructs in Peachpie and follow what sort of things programs try to do, simply because the platform allows them to. In .NET, we have a much better control over what is executed. We can scan any dynamicity or unsafe behavior and decide if we want to allow it or not.
Include of a non-compiled content file
As we continue implementing WordPress functionalities into Peachpie, we sometimes come across constructs that have a serious potential to be dangerous. Take the following code snippet, for example:
require_once( $svg_icons ) allows one to upload a file onto the host’s server if not otherwise handled. The potential consequences of this hardly have to be explained. Peachpie actually helps in this case, as we do not allow the Include of a non-compiled content file. The compiler recognizes that WordPress performs a Require on a file that had originally not been compiled. Rather than running it, which can potentially be harmful, it merely inserts its content into the site. Feel free to check out this neat functionality in the corresponding GitHub commit.
So what do we make of all this? In this article, we wanted to demonstrate one of the often misunderstood and underrated aspects of compiling PHP to .NET. There are several constructs in PHP that can pose security threats if they are not handled properly. With Peachpie, these constructs can continue to be used without having to worry about as much about potential leaks. Peachpie offers PHP applications the full range of benefits of the Microsoft .NET platform, including higher security. A benefit that cannot be measured, but can prove to be a real money or trouble saver, as will become apparent over the next weeks when we introduce further security features of Peachpie.