|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58313 Disabling classes & functions doesn't always disable them.
Submitted: 2008-08-16 01:06 UTC Modified: 2021-05-10 15:08 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: falkon1313 at gmail dot com Assigned: cmb (profile)
Status: Closed Package: runkit (PECL)
PHP Version: 5.2.5 OS: Windows XP
Private report: No CVE-ID: None
 [2008-08-16 01:06 UTC] falkon1313 at gmail dot com
It is not possible to disable some functions in a sandbox, and functions which run despite having been disabled issue no errors or warnings.

It is not possible for code running within the sandbox to determine whether or not functions or classes are available.  The only consistent way to determine the availability of a class or function is to run code that uses it and then check the PHP error logs.

Reproduce code:
$options = array(
  'disable_classes' => 'Exception',
  'disable_functions' => 'zend_version, function_exists, class_exists',

$box = new Runkit_Sandbox( $options );

$box->eval( 'echo "function zend_version() exists: "; var_export( function_exists("zend_version") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "class Exception exists: "; var_export( class_exists("Exception") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "disabled functions: "; print_r( ini_get("disable_functions") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "disabled classes: "; print_r( ini_get("disable_classes") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "defined functions: "; print_r( get_defined_functions() );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "declared classes: "; print_r( get_declared_classes() );' );

Expected result:
1) class_exists should return false if the class has been disabled, as function_exists does.
2) ini_get should return a list of disabled classes and functions.
3) disabled functions should not be in the list of defined functions returned by get_defined_functions
4) disabled classes should not be in the list of declared classes returned by get_declared_classes.
5) disabled functions should not execute.

Actual result:
1) function_exists returns false if the function has been disabled, but class_exists returns true if the class has been disabled.
2) ini_get fails to recognize disabled functions and classes within the runkit sandbox, returning empty arrays.
3) disabled functions are included in the results of get_defined_functions
4) disabled classes are included in the results of get_declared_classes, although their position and letter case may change (Exception becomes exception, and goes from #1 to #105 in the list in my installation).
5) functions such as function_exists and class_exists can be called from within the sandbox even though they were 'disabled'.  No errors occur.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-29 10:30 UTC]
What do you think about this?

echo '<?php echo var_dump(class_exists("Exception")); new Exception();' | php -d 'disable_classes=Exception'

Warning: exception() has been disabled for security reasons in - on line 1

Call Stack:
    0.0002     335688   1. {main}() -:0
 [2015-09-29 10:36 UTC]
You should not use spaces in the list of classes or functions otherwise it doesn't work well
 [2015-09-29 10:36 UTC]
I think we can close this.
 [2016-08-03 19:42 UTC]
(1), (3) and (4) are not related to runkit, but are rather normal
behavior of PHP. If you feel these issues should be addressed,
please open (a) separate ticket(s).

(2) and (5) are related to runkit's sandbox, though.
 [2021-05-10 15:08 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-05-10 15:08 UTC]
I'm closing this ticket, since the proper place to report runkit
related issues is <>.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Mar 03 02:01:30 2024 UTC