php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #65386 [summary] disable_functions / enable_functions / virtualhost...
Submitted: 2013-08-03 15:53 UTC Modified: 2017-01-13 12:31 UTC
Votes:8
Avg. Score:4.6 ± 0.7
Reproduced:8 of 8 (100.0%)
Same Version:2 (25.0%)
Same OS:1 (12.5%)
From: ben dot rubson at gmail dot com Assigned:
Status: Open Package: PHP options/info functions
PHP Version: 5.6.7 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ben dot rubson at gmail dot com
New email:
PHP Version: OS:

 

 [2013-08-03 15:53 UTC] ben dot rubson at gmail dot com
Description:
------------
Hello,

I open this bug to summarize findings / requests
around disable_functions directive.

1 - Bug
"php_admin_value disable_functions" should not
affect the local ini value.
bug #24702
bug #65289

2 - Request
"php_admin_value disable_functions" should
be able to disable functions.
bug #13833
bug #52325
bug #54239

3 - Request
"php_admin_value enable_functions" should
re-enable disabled functions.
bug #65351

To sum up, could you make disable_functions
a PHP_INI_SYSTEM directive ?
Could you also implement enable_functions
as a PHP_INI_SYSTEM directive ?

We would then be able to fine tune each
Apache virtualhost independently, securely.

Thank you very much !


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-04 10:27 UTC] ben dot rubson at gmail dot com
Another interesting feature would be the support of wildcards
in disable_functions directive.

To disable the 21 PCNTL functions, instead of having to write :
"disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,..."

We would be able to write :
"disable_functions = pcntl_*"

Thanks !
 [2013-11-20 21:58 UTC] txyoji at yahoo dot com
Also the documentation is not consistent.
http://www.php.net/manual/en/ini.core.php#ini.disable-functions
At the top of the page, it states the directive is PHP_INI_SYSTEM
and at the bottom of the same page, it says its php.ini only.

Using php 5.4.21, I've observed that the option can be set per virtual host and will show up in the phpinfo() output, but its only effective if placed in the php.ini

My preference would be to have this setting actually work at the PHP_INI_SYSTEM level.
 [2014-02-23 17:26 UTC] ben dot rubson at gmail dot com
Hello,

Any news about these requests ?
- modification of disable_functions to be a PHP_INI_SYSTEM directive ;
- implementation of enable_functions as a PHP_INI_SYSTEM directive ;
- support of wildcards in these 2 directives.

Thank you !
 [2015-05-24 17:40 UTC] ben dot rubson at gmail dot com
-PHP Version: 5.4.17 +PHP Version: 5.6.7
 [2015-05-24 17:40 UTC] ben dot rubson at gmail dot com
Hello,

Any news about this please ?

Thank you !
 [2017-01-13 12:31 UTC] cmb@php.net
It seems to me that those changes would require at least some
discussion on the internals mailing list, and perhaps even an RFC,
see <http://wiki.php.net/rfc/howto>.
 [2017-01-19 11:26 UTC] ben dot rubson at gmail dot com
Thank you cmb for your suggestion.
I then just opened a discussion :
http://marc.info/?l=php-internals&m=148482478815431&w=2
 [2017-01-19 17:59 UTC] spam2 at rhsoft dot net
oh YES!

i wrote a bugreport years ago - one of the problems is/was that phpinfo() even shows the vhost setting but the functions are *not* disabled while suhosin had many years a per-host working param which worked as expected

can you also please take a look at https://bugs.php.net/bug.php?id=73921 it's horrible that disabled_functions just lead to a warning where on most servers you have no access and so instead of notice that something don't run it should throw a exception which can be handeled properly
 [2017-03-16 01:40 UTC] own3mall at gmail dot com
nginx and php-fpm work as expected in my opinion.

fastcgi_param  PHP_ADMIN_VALUE "disable_functions=exec,passthru,shell_exec,system,proc_open,popen";

Disables those functions on a virtual host entry in the nginx template.  

However, the same thing adjusted for Apache2 syntax does NOT:

php_admin_value disable_functions exec,passthru,shell_exec,system,proc_open,popen

I think the behavior in Apache2 should be the same as it is in nginx.  I don't want to use Suhosin, and I shouldn't have to disable those functions globally in the php.ini file since some of my sites absolutely need to use those functions.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Sep 20 16:01:26 2024 UTC