php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #65289 disable_functions per domain not working
Submitted: 2013-07-18 15:07 UTC Modified: 2013-10-04 16:24 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: markku dot niskanen at gmail dot com Assigned: krakjoe (profile)
Status: Closed Package: FPM related
PHP Version: 5.5.0 OS: Centos 6.2
Private report: No CVE-ID: None
 [2013-07-18 15:07 UTC] markku dot niskanen at gmail dot com
Description:
------------
NOTE: If this is a feature and not a bug it should be in the documentation.

Using domain specific php.ini disable_functions setting does not work.

Using the settings below I can still run phpinfo(). I can actually see that the 
settings should prevent me running it as they are there!

The master value of disable_functions is an empty string. When the setting is 
applied as a master value it prevents running the functions correctly.

Tested with Centos 6.2 & Centos 5.4 and PHP 5.5.0 (php-fpm).


Test script:
---------------
# php.ini settings: 
# end of php.ini std stuff, host specific stuff starts
[HOST=testdomain.com]
upload_max_filesize=7M
disable_functions=phpinfo,exec,shell_exec,system,passthru

code:
<?php phpinfo();
  echo exec('whoami');


Expected result:
----------------
(empty page)


Actual result:
--------------
FULL phpinfo() page plus the user name!

result copied from browser :

disable_functions	phpinfo,exec,shell_exec,system,passthru
upload_max_filesize	7M

So the settings are there but not working.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-18 15:14 UTC] johannes@php.net
-Type: Security +Type: Documentation Problem
 [2013-07-18 15:14 UTC] johannes@php.net
The documentation should be made clearer. http://php.net/manual/en/ini.core.php#ini.disable-functions mentions "php.ini only" while it should be "global php.ini" or something along the lines. The setting is read during startup only not on every request.
 [2013-07-18 16:11 UTC] markku dot niskanen at gmail dot com
Actually phpinfo() should NOT show the inactive(?) setting! 
It is badly misleading so it is not only about documentation. 
Why is it showing it? That fact MUST be classified as a bug because 
it is not showing the ACTUAL setting. 

It is bit unclear (to me, at least) how the "domain specific" 
settings work. If one mentions "global.php.ini only" it will mislead 
many users to believe that it is the global php.ini which may contain 
domain specific settings as well (like mine did).

That said it also misleads to insecurity: phpinfo() shows the wrong
status and one might believe in it just like I did.
 [2013-08-03 15:55 UTC] ben dot rubson at gmail dot com
See summary bug #65386
 [2013-10-04 16:24 UTC] krakjoe@php.net
Automatic comment from SVN on behalf of krakjoe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=331662
Log: #65289 give same level as clarity as everything else
 [2013-10-04 16:24 UTC] krakjoe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe
 [2013-10-04 16:24 UTC] krakjoe@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

The documentation has been updated to provide the same level of clarity for that setting as all the others, with it's specific support constant PHP_INI_SYSTEM.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 15 18:01:27 2024 UTC