|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #65289 disable_functions per domain not working
Submitted: 2013-07-18 15:07 UTC Modified: 2013-10-04 16:24 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: markku dot niskanen at gmail dot com Assigned: krakjoe (profile)
Status: Closed Package: FPM related
PHP Version: 5.5.0 OS: Centos 6.2
Private report: No CVE-ID: None
 [2013-07-18 15:07 UTC] markku dot niskanen at gmail dot com
NOTE: If this is a feature and not a bug it should be in the documentation.

Using domain specific php.ini disable_functions setting does not work.

Using the settings below I can still run phpinfo(). I can actually see that the 
settings should prevent me running it as they are there!

The master value of disable_functions is an empty string. When the setting is 
applied as a master value it prevents running the functions correctly.

Tested with Centos 6.2 & Centos 5.4 and PHP 5.5.0 (php-fpm).

Test script:
# php.ini settings: 
# end of php.ini std stuff, host specific stuff starts

<?php phpinfo();
  echo exec('whoami');

Expected result:
(empty page)

Actual result:
FULL phpinfo() page plus the user name!

result copied from browser :

disable_functions	phpinfo,exec,shell_exec,system,passthru
upload_max_filesize	7M

So the settings are there but not working.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-18 15:14 UTC]
-Type: Security +Type: Documentation Problem
 [2013-07-18 15:14 UTC]
The documentation should be made clearer. mentions "php.ini only" while it should be "global php.ini" or something along the lines. The setting is read during startup only not on every request.
 [2013-07-18 16:11 UTC] markku dot niskanen at gmail dot com
Actually phpinfo() should NOT show the inactive(?) setting! 
It is badly misleading so it is not only about documentation. 
Why is it showing it? That fact MUST be classified as a bug because 
it is not showing the ACTUAL setting. 

It is bit unclear (to me, at least) how the "domain specific" 
settings work. If one mentions "global.php.ini only" it will mislead 
many users to believe that it is the global php.ini which may contain 
domain specific settings as well (like mine did).

That said it also misleads to insecurity: phpinfo() shows the wrong
status and one might believe in it just like I did.
 [2013-08-03 15:55 UTC] ben dot rubson at gmail dot com
See summary bug #65386
 [2013-10-04 16:24 UTC]
Automatic comment from SVN on behalf of krakjoe
Log: #65289 give same level as clarity as everything else
 [2013-10-04 16:24 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe
 [2013-10-04 16:24 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

The documentation has been updated to provide the same level of clarity for that setting as all the others, with it's specific support constant PHP_INI_SYSTEM.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon May 29 09:03:40 2023 UTC