|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2008-08-16 01:06 UTC] falkon1313 at gmail dot com
Description:
------------
It is not possible to disable some functions in a sandbox, and functions which run despite having been disabled issue no errors or warnings.
It is not possible for code running within the sandbox to determine whether or not functions or classes are available. The only consistent way to determine the availability of a class or function is to run code that uses it and then check the PHP error logs.
Reproduce code:
---------------
<?php
$options = array(
'disable_classes' => 'Exception',
'disable_functions' => 'zend_version, function_exists, class_exists',
);
$box = new Runkit_Sandbox( $options );
$box->eval( 'echo "function zend_version() exists: "; var_export( function_exists("zend_version") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "class Exception exists: "; var_export( class_exists("Exception") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "disabled functions: "; print_r( ini_get("disable_functions") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "disabled classes: "; print_r( ini_get("disable_classes") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "defined functions: "; print_r( get_defined_functions() );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "declared classes: "; print_r( get_declared_classes() );' );
Expected result:
----------------
1) class_exists should return false if the class has been disabled, as function_exists does.
2) ini_get should return a list of disabled classes and functions.
3) disabled functions should not be in the list of defined functions returned by get_defined_functions
4) disabled classes should not be in the list of declared classes returned by get_declared_classes.
5) disabled functions should not execute.
Actual result:
--------------
1) function_exists returns false if the function has been disabled, but class_exists returns true if the class has been disabled.
2) ini_get fails to recognize disabled functions and classes within the runkit sandbox, returning empty arrays.
3) disabled functions are included in the results of get_defined_functions
4) disabled classes are included in the results of get_declared_classes, although their position and letter case may change (Exception becomes exception, and goes from #1 to #105 in the list in my installation).
5) functions such as function_exists and class_exists can be called from within the sandbox even though they were 'disabled'. No errors occur.
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Wed Apr 24 21:01:29 2024 UTC |
What do you think about this? echo '<?php echo var_dump(class_exists("Exception")); new Exception();' | php -d 'disable_classes=Exception' bool(true) Warning: exception() has been disabled for security reasons in - on line 1 Call Stack: 0.0002 335688 1. {main}() -:0