go to bug id or search bugs for
It would nbe nice to have a new security feature in PHP.
Actually, a web server receives connections from a specific IP/port, but any PHP script can use any available address on outgoing connections.
This can be a security problem.
It should be possible to 'force' PHP to open connections only with a spcific IP or with the listening IP.This helps to prevent such problems:
* if you have internal interfaces in the same machine where you have
public IPs, a web PHP application could try to use the internal
address of the interface, exploring internal network (actually we avoid that
thanks to FreeBSD jails).
* if apache listens on a specific IP for a single domain, and listens
on other IPs for others domains, it would be safe if each domain can
use as source IP only the listening IP associated.
Add a Patch
Add a Pull Request
You can already do this for any function that accepts a stream context via the bindto context option. Is there a specific case that isn't covered?
bindto looks to be a programming option.
I'm asking for a PHP directive, similar to OPEN_BASEDIR, which will force the bind address for any function opening/creating a socket or network connection.
This should be imposed by the system manager, when there is a multidomain/multiIP apache.
It would be useful to have something like:
BIND_IP 'x.x.x.x' (specific IP do be used for binding)
BIND_LISTEN (force use of IP on which the apache connection is received)