php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #77413 .ini function to disable use of opcache_reset();
Submitted: 2019-01-05 12:38 UTC Modified: 2019-01-05 13:12 UTC
From: post at minhost dot no Assigned:
Status: Closed Package: opcache
PHP Version: 7.2.13 OS: CentOS 7.x
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: post at minhost dot no
New email:
PHP Version: OS:

 

 [2019-01-05 12:38 UTC] post at minhost dot no 
Description:
------------
We are running shared hosting servers with many different customers and sites on each dedicated server. We allocate enough memory to opcache so that all customers php scripts is cached in opcache.

The problem is that our shared hosting customers is able to upload a php script with the following code to empty opcache for ALL customers on that same server:

<?php
opcache_reset();

Further there is nothing stopping any customers from doing this as frequently as they like. It is a big problem that one single customer can empty the entire opcache for all other customers on the same server.

Please add a new .ini function to disable the php code opcache_reset(); from being able to execute, so that we can disable this completely in opcache.ini/php.ini - We do not need to empty opcache by using this PHP code. opcache is emptied when we reload php-fpm, and that is enough for us.

The new .ini function should be added to this page: http://php.net/manual/en/opcache.configuration.php - Suggestion for naming of the .ini function: opcache.disable.reset= 0 or 1

Please appreciate that it is problematic for shared hosting providers that any users on a server can run opcache_reset(); in a php script to empty opcache for all other customers on the same server.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-05 13:01 UTC] requinix@php.net
-Status: Open +Status: Wont fix
 [2019-01-05 13:01 UTC] requinix@php.net 
This is the sort of situation that disable_functions is designed for.
http://php.net/manual/en/ini.core.php#ini.disable-functions
 [2019-01-05 13:12 UTC] post at minhost dot no
-Status: Wont fix +Status: Closed
 [2019-01-05 13:12 UTC] post at minhost dot no 
Thank you. I feel stupid I never thought of that. :) Changing the status to closed.
 [2019-01-05 14:57 UTC] spam2 at rhsoft dot net 
besides that you likely want opcache.restrict_api = "/usr/share/php/opcache.php" when you run shared hosting and didn't know about "disable_functions" you have far bigger problems than clearing a cache which populates itself again

disable_functions = "get_browser, apcu_cache_info, apcu_clear_cache, apcu_sma_info, apache_child_terminate, chown, dl, exec, fileinode, get_current_user, getmypid, getmyuid, getrusage, highlight_file, link, mail, openlog, passthru, pclose, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, pfsockopen, popen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, socket_accept, socket_bind, symlink, syslog, system"
 [2019-01-05 15:02 UTC] post at minhost dot no 
@spam2 at rhsoft dot net, I don't know if you are trying to insult me or not, but it is not working. Of cource I knew about disable_functions, I just did not think about it in this context.
 [2019-01-05 19:33 UTC] spam2 at rhsoft dot net 
yeah, if you like feel insulted because someone shares production configs

feel also insulted by the fact that on recent systemd versions "InaccessiblePaths=-/usr/bin/bash" kills every shell execition implicit and i am an asshole telling others....
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 09:01:29 2024 UTC