PHP :: Bug #73921 :: disable_functions should result in fatal error

Bug #73921	disable_functions should result in fatal error
Submitted:	2017-01-12 13:10 UTC	Modified:	2017-01-13 15:44 UTC
From:	spam2 at rhsoft dot net	Assigned:
Status:	Suspended	Package:	Scripting Engine problem
PHP Version:	7.1.0	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	spam2 at rhsoft dot net
New email:
PHP Version:		OS:

New Comment:

[2017-01-12 13:10 UTC] spam2 at rhsoft dot net

Description:
------------
PHP Warning:  popen() has been disabled for security reasons

sorry, but that is nonsense because from the view of the script it make sno difference if a function can't be called becaus ea typo or because it is disabled and so completly legit code for optional features don't work

BUT you can't try-catch warnings

 private function syslog(string $message)
 {
  global $cms_syslog;
  /** Je nach Serverkonfiguration nicht vorhanden */
  try
  {
   /** Usernamen hinzufuegen wenn angemeldet */
   if(!empty($_SESSION[CMS_HOST_HASH . '_auth_uname']))
   {
    $message .= " ({$_SESSION[CMS_HOST_HASH . '_auth_uname']})";
   }
   /** Sonderzeichen filtern */
   $message = strip_tags($this->escape_logitem($message));
   /** Kommando mittels "popen" ausfuehren und Rueckgabe in Variable schreiben */
   if($fp = popen($cms_syslog . ' ' . escapeshellarg($message) , 'r'))
   {
    pclose($fp);
    return true;
   }
   else
   {
    return false;
   }
  }
  catch(Error $e)
  {
   return false;
  }
 }

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-01-13 15:14 UTC] cmb@php.net

-Status: Open +Status: Suspended

[2017-01-13 15:14 UTC] cmb@php.net

Disabling a function isn't the same as undefining it (or never
have it being defined, for that matter), as can be seen from
get_defined_functions() which also returns disabled functions (by
default). Therefore I don't think this qualifies as a bug, but
is rather a feature request.

However, changing the behavior could cause massive BC break, so
this would appear to require the RFC process[1]. Thus I'm
suspending this ticket, until someone comes up with an RFC.

BTW: the example you're presenting isn't a particular good one, as
it would return FALSE regardless of whether disabling popen()
would throw an exception or not.

> BUT you can't try-catch warnings

That's not necessarily correct, see
<http://php.net/manual/en/class.errorexception.php#errorexception.examples>.

[1] <https://wiki.php.net/rfc/howto>

[2017-01-13 15:35 UTC] spam2 at rhsoft dot net

> BUT you can't try-catch warnings
That's not necessarily correct

surely, just try it out, this has changed in PHP7, the code below works perfectly when you don't load pecl-apcu and is much cheaper than function_exists() in case normally the extension is expected to be there and have it not loaded is really the exception

i can't see the BC break at all - when someone is calling a function he expects it to be called and on most production servers warnings are nt displayed so he even has no chance to realize why something acts unexpected, with a exception/error it's clear 

frnakly the whole disable_functions() stuff should be reworked so that it also works PER_DIR and not only global (suhosin in the past had a similar feature and i didn't see the pretended performance impact)

    try
    {
     $cache_entry = apcu_fetch($template_key);
     if($cache_entry !== false)
     {
      return $cache_entry;
     }
    }
    catch(Error $e){}

[2017-01-13 15:44 UTC] spam2 at rhsoft dot net

and when you mean i should create a own error-handler than this would be just pervert when the whole intention of try-catch is to get rid of the expensive function_exists() call which was there in the past

and yes a few function_exists() have a visible cost point in xdebug if you know how to develop really fast systems - no idea hwat function_exists does, but feels like in_array() iterating over the complete list

[2017-05-23 07:04 UTC] requinix@php.net

Related To: Bug #74635

[2017-10-22 23:39 UTC] kalle@php.net

Related To: Bug #13833

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Nov 22 04:01:28 2024 UTC