Add variable to restrict PHP user input [#134779]

Issue http://drupal.org/node/46941 highlights the need to be able to restrict PHP input by users in e.g. multisite environments.

We have two places in core where there is PHP user input: block configuration (PHP for page matching) and input formats. We could put in place separate solutions for both. (This has been done in contrib in http://drupal.org/project/paranoia.)

But that leaves contrib modules. E.g., many contrib modules have copied in some form the page matching from block.module, introducing new PHP input cases. There's the PHP block in devel.module. No doubt there are others.

We need a general way to say, "this site should have no PHP user input", one that can be used by both core and contrib.

Proposed solution: introduce a new setting, 'php_input'. Every instance of PHP user input first tests for this setting. If it evaluates to 0, no UI is presented, and calls to drupal_eval() bail with a watchdog error message.

Probably we don't need a UI for setting this variable--it shouldn't be subject to user input. Instead the variable could be set in the $conf array in settings.php:


$conf = array(
  ...
  'php_input' => 0,
);

which would prevent all PHP input and evaluation.

Then all modules implementing PHP user input could do so conditionally:


if (variable_get('php_input', 1)) {
  // PHP input handling here.
}

We'd still want something like http://drupal.org/node/46941, though we could maybe make it an include file added conditionally by filter.module rather than a separate module.

So the attached rough patch leaves out the PHP filter, and just handles (a) making drupal_eval() execute only if php input is permitted and (b) making block page matching use PHP only if permitted, leaving the filter fixing to http://drupal.org/node/46941, which could be updated to use the new variable.