php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74605 PHP disable_functions and FPM
Submitted: 2017-05-17 12:41 UTC Modified: -
Votes:5
Avg. Score:4.4 ± 0.8
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:1 (20.0%)
From: s dot peterse at detoekomst dot nl Assigned:
Status: Open Package: PHP options/info functions
PHP Version: 7.0.19 OS: Ubuntu 16.04.4
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: s dot peterse at detoekomst dot nl
New email:
PHP Version: OS:

 

 [2017-05-17 12:41 UTC] s dot peterse at detoekomst dot nl
Description:
------------
I'm running a PHP 7.0.15 setup on Ubuntu 16.04.4 (7.0.15-0ubuntu0.16.04.4). Apache calls PHP using a PHP FPM socket.

I have disabled php_uname in my main php.ini (/etc/php/7.0/fpm/php.ini) configuration. Changing this setting or overriding it in my FPM-Pool environment (using php_admin_value[disable_functions]) does correctly update the output of phpinfo(); but it doesn't actually work.

There are actually 2 issues with disable_functions:

1. Having a function disabled in the main php.ini and overriding it for a certain FPM pool (in /etc/php/7.0/fpm/pool.d/www.conf) will not showing the method listed in the phpinfo ouput (disable_functions). So it means it's not disabled, but it is disabled (PHP Warning:  php_uname() has been disabled for security reasons).

2. Having a function disabled in the main php.ini and adding to the same file a host override will correctly enable the function again but it's still showed as disabled in the phpinfo (but it isn't blocked!).

Test script:
---------------
My PHP test script:

<?php
phpinfo();
echo "php_uname: " . php_uname();
?>

---

NOTE: the difference between the 'disable_functions' option values is the php_uname function!

Configs for issue 1 (php_uname() function IS blocked but NOT SHOWN as disabled in phpinfo):

/etc/php/7.0/fpm/php.ini:
...
[PHP]
disable_functions = apache_child_terminate,apache_setenv,define_syslog_variables,escapeshellarg,escapeshellcmd,eval,exec,fp,fput,ftp_connect,ftp_exec,ftp_get,ftp_login,ftp_nb_fput,ftp_put,ftp_raw,ftp_rawlist,highlight_file,ini_alter,ini_get_all,ini_restore,inject_code,mysql_pconnect,openlog,passthru,pcntl_alarm,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerror,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifcontinued,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,phpAds_XmlRpc,phpAds_remoteInfo,phpAds_xmlrpcDecode,phpAds_xmlrpcEncode,php_uname,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_uname,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,syslog,system,xmlrpc_entity_decode,
...

/etc/php/7.0/fpm/pool.d/www.conf
[www]

user = www
group = www

listen = /run/php/php7.0-fpm.www.sock

listen.owner = www-data
listen.group = www-data

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

; Custom php.ini settings
php_admin_value[max_execution_time] = 300
php_admin_value[disable_functions] = apache_child_terminate,apache_setenv,define_syslog_variables,escapeshellarg,escapeshellcmd,eval,exec,fp,fput,ftp_connect,ftp_exec,ftp_get,ftp_login,ftp_nb_fput,ftp_put,ftp_raw,ftp_rawlist,highlight_file,ini_alter,ini_get_all,ini_restore,inject_code,mysql_pconnect,openlog,passthru,pcntl_alarm,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerror,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifcontinued,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,phpAds_XmlRpc,phpAds_remoteInfo,phpAds_xmlrpcDecode,phpAds_xmlrpcEncode,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_uname,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,syslog,system,xmlrpc_entity_decode,

---

Configs for issue 2 (php_uname() function NOT blocked but SHOWN as disabled in phpinfo):

/etc/php/7.0/fpm/php.ini:
...
[HOST=mydomain]
disable_functions = apache_child_terminate,apache_setenv,define_syslog_variables,escapeshellarg,escapeshellcmd,eval,exec,fp,fput,ftp_connect,ftp_exec,ftp_get,ftp_login,ftp_nb_fput,ftp_put,ftp_raw,ftp_rawlist,highlight_file,ini_alter,ini_get_all,ini_restore,inject_code,mysql_pconnect,openlog,passthru,pcntl_alarm,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerror,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifcontinued,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,phpAds_XmlRpc,phpAds_remoteInfo,phpAds_xmlrpcDecode,phpAds_xmlrpcEncode,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_uname,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,syslog,system,xmlrpc_entity_decode,
...
[PHP]
disable_functions = apache_child_terminate,apache_setenv,define_syslog_variables,escapeshellarg,escapeshellcmd,eval,exec,fp,fput,ftp_connect,ftp_exec,ftp_get,ftp_login,ftp_nb_fput,ftp_put,ftp_raw,ftp_rawlist,highlight_file,ini_alter,ini_get_all,ini_restore,inject_code,mysql_pconnect,openlog,passthru,pcntl_alarm,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerror,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifcontinued,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,phpAds_XmlRpc,phpAds_remoteInfo,phpAds_xmlrpcDecode,phpAds_xmlrpcEncode,php_uname,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_uname,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,syslog,system,xmlrpc_entity_decode,
...

/etc/php/7.0/fpm/pool.d/www.conf
[www]

user = www
group = www

listen = /run/php/php7.0-fpm.www.sock

listen.owner = www-data
listen.group = www-data

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

; Custom php.ini settings
php_admin_value[max_execution_time] = 300


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-24 20:22 UTC] pguru dot rahul at gmail dot com
did anyone find a patch for issue 1.. I am facing same issue. A strange Issue..

a) Phpinfo function  loads  default ini files ,additional ini files And showing disable Functions has no value. But some of the Functions like 'ini_get_all', ini_get are actually disabled or are not callable.
 [2020-02-25 19:21 UTC] yuri+bugs at fused dot com
This bug is still present and exceptionally easy to reproduce in 7.2.27.
 [2020-05-04 16:59 UTC] ata350 at gmail dot com
Me too having this issue why nobody fix this ?
 [2020-05-04 17:06 UTC] bugreports at gmail dot com
RTFM

https://www.php.net/manual/en/ini.core.php#ini.disable-functions

disable_functions PHP_INI_SYSTEM only 	

This directive must be set in php.ini For example, you cannot set this in httpd.conf.
 [2023-03-24 20:29 UTC] ichier at pillepalle dot net
thanx bugreports at gmail...

yes, it's not designed to work right now - but it should. it's a serious security concern.

you don't want every site on your server be able to do dangerous stuff, like those generic outdated wordpress-installations and other constantly bleeding things

but sometimes you need a special hidden service to be able to do one specific thing
you want those to enable explicitly only to that service


my solution on debian right now is an additional php-fpm running 8.0 with those things allowed, next to the 8.1 and 8.2 needed for normal operation. instead of that one 8.0 allowing all the needed stuff for all of those services i'd really want to be more granular, next to being able to run those on 8.2, of course...


also, it still is a bug, since what is shown doesn't correspond to what is happening.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 06:01:30 2024 UTC