php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68092 chmod still works after being disabled via disable_functions
Submitted: 2014-09-24 20:19 UTC Modified: 2014-10-06 08:21 UTC
From: software-php at interfasys dot ch Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: 5.4.33 OS: FreeBSD
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: software-php at interfasys dot ch
New email:
PHP Version: OS:

 

 [2014-09-24 20:19 UTC] software-php at interfasys dot ch 
Description:
------------
I'm using PHP-FPM 5.4.33

In a secondary ini file add a section which will apply to one website and disable chmod
[HOST=my.web.site]
disable_functions = "chmod"

Check that the function is disabled via phpinfo()
In my case, the local value for disable_functions shows "chmod"

Create a simple script which chmods a file







Test script:
---------------
if (!ini_get('display_errors')) {
    ini_set('display_errors', '1');
}

echo ini_get('display_errors');
echo "I am chowning a file";

chmod("testcase.php", 0777);

Expected result:
----------------
I should get an error message telling me that this is not allowed

Actual result:
--------------
The file is chowned to 777.

Not that if the same function is added to Suhosin's blacklist, then I will get the proper warning:
"Warning: chmod() has been disabled for security reasons"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-06 08:21 UTC] datibbaw@php.net
-Status: Open +Status: Not a bug
 [2014-10-06 08:21 UTC] datibbaw@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

The following test case works as expected:

--TEST--
Test chmod() when disabled
--INI--
disable_functions = "chmod"
--FILE--
<?php

chmod(__FILE__, 0644);
--EXPECTF--
Warning: chmod() has been disabled for security reasons in %s on line %d
 [2014-10-06 11:33 UTC] software-php at interfasys dot ch 
There are 2 problems with your test

#1 You did not add disable_functions to a php.ini section. That's where there might be a problem. It's still php.ini (the only location where disable_functions works), so should be supported or clearly stated as not working
--INI--
[HOST=my.web.site]
disable_functions = "chmod"


#2 Your test did not test phpinfo() to see if chmod was being reported as being disabled. In my test it was shown as disabled (via the GUI), indicating that php.ini sections settings were properly picked up, but not properly applied.
--FILE--
<? php
echo 'disable_functions = ' . ini_get('disable_functions') . "</br>";
echo 'Is chmod allowed? ' . function_exists('chmod') . "</br>";


Now if I go to my.web.site/test.php, I get this
disable_functions = chmod
Is chmod allowed? 1

instead of

disable_functions = chmod
Is chmod allowed? 0
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 20:01:29 2024 UTC