|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58313 Disabling classes & functions doesn't always disable them.
Submitted: 2008-08-16 01:06 UTC Modified: 2021-05-10 15:08 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: falkon1313 at gmail dot com Assigned: cmb (profile)
Status: Closed Package: runkit (PECL)
PHP Version: 5.2.5 OS: Windows XP
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: falkon1313 at gmail dot com
New email:
PHP Version: OS:


 [2008-08-16 01:06 UTC] falkon1313 at gmail dot com
It is not possible to disable some functions in a sandbox, and functions which run despite having been disabled issue no errors or warnings.

It is not possible for code running within the sandbox to determine whether or not functions or classes are available.  The only consistent way to determine the availability of a class or function is to run code that uses it and then check the PHP error logs.

Reproduce code:
$options = array(
  'disable_classes' => 'Exception',
  'disable_functions' => 'zend_version, function_exists, class_exists',

$box = new Runkit_Sandbox( $options );

$box->eval( 'echo "function zend_version() exists: "; var_export( function_exists("zend_version") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "class Exception exists: "; var_export( class_exists("Exception") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "disabled functions: "; print_r( ini_get("disable_functions") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "disabled classes: "; print_r( ini_get("disable_classes") );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "defined functions: "; print_r( get_defined_functions() );' );
$box->eval( 'echo "<br />\n";' );
$box->eval( 'echo "declared classes: "; print_r( get_declared_classes() );' );

Expected result:
1) class_exists should return false if the class has been disabled, as function_exists does.
2) ini_get should return a list of disabled classes and functions.
3) disabled functions should not be in the list of defined functions returned by get_defined_functions
4) disabled classes should not be in the list of declared classes returned by get_declared_classes.
5) disabled functions should not execute.

Actual result:
1) function_exists returns false if the function has been disabled, but class_exists returns true if the class has been disabled.
2) ini_get fails to recognize disabled functions and classes within the runkit sandbox, returning empty arrays.
3) disabled functions are included in the results of get_defined_functions
4) disabled classes are included in the results of get_declared_classes, although their position and letter case may change (Exception becomes exception, and goes from #1 to #105 in the list in my installation).
5) functions such as function_exists and class_exists can be called from within the sandbox even though they were 'disabled'.  No errors occur.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-29 10:30 UTC]
What do you think about this?

echo '<?php echo var_dump(class_exists("Exception")); new Exception();' | php -d 'disable_classes=Exception'

Warning: exception() has been disabled for security reasons in - on line 1

Call Stack:
    0.0002     335688   1. {main}() -:0
 [2015-09-29 10:36 UTC]
You should not use spaces in the list of classes or functions otherwise it doesn't work well
 [2015-09-29 10:36 UTC]
I think we can close this.
 [2016-08-03 19:42 UTC]
(1), (3) and (4) are not related to runkit, but are rather normal
behavior of PHP. If you feel these issues should be addressed,
please open (a) separate ticket(s).

(2) and (5) are related to runkit's sandbox, though.
 [2021-05-10 15:08 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-05-10 15:08 UTC]
I'm closing this ticket, since the proper place to report runkit
related issues is <>.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon May 23 06:05:44 2022 UTC