php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58313 Disabling classes & functions doesn't always disable them.
Submitted: 2008-08-16 01:06 UTC Modified: 2016-08-03 19:42 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: falkon1313 at gmail dot com Assigned:
Status: Open Package: runkit (PECL)
PHP Version: 5.2.5 OS: Windows XP
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-08-16 01:06 UTC] falkon1313 at gmail dot com
Description:
------------
It is not possible to disable some functions in a sandbox, and functions which run despite having been disabled issue no errors or warnings.

It is not possible for code running within the sandbox to determine whether or not functions or classes are available.  The only consistent way to determine the availability of a class or function is to run code that uses it and then check the PHP error logs.

Reproduce code:
---------------
<?php
$options = array(
  'disable_classes' => 'Exception',
  'disable_functions' => 'zend_version, function_exists, class_exists',
);

$box = new Runkit_Sandbox( $options );

$box->eval( 'echo "function zend_version() exists: "; var_export( function_exists("zend_version") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "class Exception exists: "; var_export( class_exists("Exception") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "disabled functions: "; print_r( ini_get("disable_functions") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "disabled classes: "; print_r( ini_get("disable_classes") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "defined functions: "; print_r( get_defined_functions() );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "declared classes: "; print_r( get_declared_classes() );' );



Expected result:
----------------
1) class_exists should return false if the class has been disabled, as function_exists does.
2) ini_get should return a list of disabled classes and functions.
3) disabled functions should not be in the list of defined functions returned by get_defined_functions
4) disabled classes should not be in the list of declared classes returned by get_declared_classes.
5) disabled functions should not execute.

Actual result:
--------------
1) function_exists returns false if the function has been disabled, but class_exists returns true if the class has been disabled.
2) ini_get fails to recognize disabled functions and classes within the runkit sandbox, returning empty arrays.
3) disabled functions are included in the results of get_defined_functions
4) disabled classes are included in the results of get_declared_classes, although their position and letter case may change (Exception becomes exception, and goes from #1 to #105 in the list in my installation).
5) functions such as function_exists and class_exists can be called from within the sandbox even though they were 'disabled'.  No errors occur.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-29 10:30 UTC] dzenovich@php.net
What do you think about this?

echo '<?php echo var_dump(class_exists("Exception")); new Exception();' | php -d 'disable_classes=Exception'
bool(true)

Warning: exception() has been disabled for security reasons in - on line 1

Call Stack:
    0.0002     335688   1. {main}() -:0
 [2015-09-29 10:36 UTC] dzenovich@php.net
You should not use spaces in the list of classes or functions otherwise it doesn't work well
 [2015-09-29 10:36 UTC] dzenovich@php.net
I think we can close this.
 [2016-08-03 19:42 UTC] cmb@php.net
(1), (3) and (4) are not related to runkit, but are rather normal
behavior of PHP. If you feel these issues should be addressed,
please open (a) separate ticket(s).

(2) and (5) are related to runkit's sandbox, though.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Nov 12 07:01:37 2019 UTC