php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58313 Disabling classes & functions doesn't always disable them.
Submitted: 2008-08-16 01:06 UTC Modified: 2021-05-10 15:08 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: falkon1313 at gmail dot com Assigned: cmb (profile)
Status: Closed Package: runkit (PECL)
PHP Version: 5.2.5 OS: Windows XP
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: falkon1313 at gmail dot com
New email:
PHP Version: OS:

 

 [2008-08-16 01:06 UTC] falkon1313 at gmail dot com
Description:
------------
It is not possible to disable some functions in a sandbox, and functions which run despite having been disabled issue no errors or warnings.

It is not possible for code running within the sandbox to determine whether or not functions or classes are available.  The only consistent way to determine the availability of a class or function is to run code that uses it and then check the PHP error logs.

Reproduce code:
---------------
<?php
$options = array(
  'disable_classes' => 'Exception',
  'disable_functions' => 'zend_version, function_exists, class_exists',
);

$box = new Runkit_Sandbox( $options );

$box->eval( 'echo "function zend_version() exists: "; var_export( function_exists("zend_version") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "class Exception exists: "; var_export( class_exists("Exception") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "disabled functions: "; print_r( ini_get("disable_functions") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "disabled classes: "; print_r( ini_get("disable_classes") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "defined functions: "; print_r( get_defined_functions() );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "declared classes: "; print_r( get_declared_classes() );' );



Expected result:
----------------
1) class_exists should return false if the class has been disabled, as function_exists does.
2) ini_get should return a list of disabled classes and functions.
3) disabled functions should not be in the list of defined functions returned by get_defined_functions
4) disabled classes should not be in the list of declared classes returned by get_declared_classes.
5) disabled functions should not execute.

Actual result:
--------------
1) function_exists returns false if the function has been disabled, but class_exists returns true if the class has been disabled.
2) ini_get fails to recognize disabled functions and classes within the runkit sandbox, returning empty arrays.
3) disabled functions are included in the results of get_defined_functions
4) disabled classes are included in the results of get_declared_classes, although their position and letter case may change (Exception becomes exception, and goes from #1 to #105 in the list in my installation).
5) functions such as function_exists and class_exists can be called from within the sandbox even though they were 'disabled'.  No errors occur.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-29 10:30 UTC] dzenovich@php.net
What do you think about this?

echo '<?php echo var_dump(class_exists("Exception")); new Exception();' | php -d 'disable_classes=Exception'
bool(true)

Warning: exception() has been disabled for security reasons in - on line 1

Call Stack:
    0.0002     335688   1. {main}() -:0
 [2015-09-29 10:36 UTC] dzenovich@php.net
You should not use spaces in the list of classes or functions otherwise it doesn't work well
 [2015-09-29 10:36 UTC] dzenovich@php.net
I think we can close this.
 [2016-08-03 19:42 UTC] cmb@php.net
(1), (3) and (4) are not related to runkit, but are rather normal
behavior of PHP. If you feel these issues should be addressed,
please open (a) separate ticket(s).

(2) and (5) are related to runkit's sandbox, though.
 [2021-05-10 15:08 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-05-10 15:08 UTC] cmb@php.net
I'm closing this ticket, since the proper place to report runkit
related issues is <https://github.com/zenovich/runkit/issues>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 02:01:28 2024 UTC