go to bug id or search bugs for
I open this bug to summarize findings / requests
around disable_functions directive.
1 - Bug
"php_admin_value disable_functions" should not
affect the local ini value.
2 - Request
"php_admin_value disable_functions" should
be able to disable functions.
3 - Request
"php_admin_value enable_functions" should
re-enable disabled functions.
To sum up, could you make disable_functions
a PHP_INI_SYSTEM directive ?
Could you also implement enable_functions
as a PHP_INI_SYSTEM directive ?
We would then be able to fine tune each
Apache virtualhost independently, securely.
Thank you very much !
Add a Patch
Add a Pull Request
Related To: Bug #24702
Related To: Bug #65289
Related To: Bug #13833
Related To: Bug #52325
Related To: Bug #54239
Related To: Bug #65351
Another interesting feature would be the support of wildcards
in disable_functions directive.
To disable the 21 PCNTL functions, instead of having to write :
"disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,..."
We would be able to write :
"disable_functions = pcntl_*"
Also the documentation is not consistent.
At the top of the page, it states the directive is PHP_INI_SYSTEM
and at the bottom of the same page, it says its php.ini only.
Using php 5.4.21, I've observed that the option can be set per virtual host and will show up in the phpinfo() output, but its only effective if placed in the php.ini
My preference would be to have this setting actually work at the PHP_INI_SYSTEM level.
Any news about these requests ?
- modification of disable_functions to be a PHP_INI_SYSTEM directive ;
- implementation of enable_functions as a PHP_INI_SYSTEM directive ;
- support of wildcards in these 2 directives.
Thank you !
Any news about this please ?
Thank you !
It seems to me that those changes would require at least some
discussion on the internals mailing list, and perhaps even an RFC,
Thank you cmb for your suggestion.
I then just opened a discussion :
i wrote a bugreport years ago - one of the problems is/was that phpinfo() even shows the vhost setting but the functions are *not* disabled while suhosin had many years a per-host working param which worked as expected
can you also please take a look at https://bugs.php.net/bug.php?id=73921 it's horrible that disabled_functions just lead to a warning where on most servers you have no access and so instead of notice that something don't run it should throw a exception which can be handeled properly
nginx and php-fpm work as expected in my opinion.
fastcgi_param PHP_ADMIN_VALUE "disable_functions=exec,passthru,shell_exec,system,proc_open,popen";
Disables those functions on a virtual host entry in the nginx template.
However, the same thing adjusted for Apache2 syntax does NOT:
php_admin_value disable_functions exec,passthru,shell_exec,system,proc_open,popen
I think the behavior in Apache2 should be the same as it is in nginx. I don't want to use Suhosin, and I shouldn't have to disable those functions globally in the php.ini file since some of my sites absolutely need to use those functions.