PHP :: Bug #81087 :: Disabled function must not be allowed to declare in script

Bug #81087	Disabled function must not be allowed to declare in script
Submitted:	2021-05-27 17:30 UTC	Modified:	2021-05-27 20:04 UTC
From:	mvorisek at mvorisek dot cz	Assigned:
Status:	Not a bug	Package:	*General Issues
PHP Version:	8.0.6	OS:	any
Private report:	No	CVE-ID:	None

View Developer Edit

[2021-05-27 17:30 UTC] mvorisek at mvorisek dot cz

Description:
------------
See https://3v4l.org/DNoNp

As of PHP 8.0 disabled function are removed before the script is run.

But the function name can be redeclared in script which can imply a script security issue.

Imagine proc_open (and all related) functions are disabled. Some 3rd party can redeclare this function. When some script checks for existence of that function, check passes and completely different implementation is run. This should be not possible.

It is fine that function_exists returns false for disabled function, but injecting function with the same name must result in a fatal error.

Test script:
---------------
<?php

var_dump(ini_get('disable_functions')); // string(22) "proc_open,phpinfo,mail"

eval('function proc_open() { echo \'x\'; }');
proc_open();

Expected result:
----------------
see desc, fatal error

Actual result:
--------------
string(22) "proc_open,phpinfo,mail"
x

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-05-27 17:37 UTC] krakjoe@php.net

-Status: Open +Status: Feedback

[2021-05-27 17:37 UTC] krakjoe@php.net

If a third party has the access necessary to declare a new function, isn't it too late to plug the security hole you imagine this opens up ?

It's now a possibility for normal code to disable an inbuilt function because it wasn't to declare another implementation, I'm not sure why we should not allow that.

[2021-05-27 17:39 UTC] krakjoe@php.net

*because it wants

[2021-05-27 20:04 UTC] girgias@php.net

-Status: Feedback +Status: Not a bug

[2021-05-27 20:04 UTC] girgias@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

See the migration guide, this is intended behaviour:

> Disabled functions are now treated exactly like non-existent functions. Calling a > disabled function will report it as unknown, and redefining a disabled function is > now possible.

[2021-05-27 20:12 UTC] m at m dot cz

Please keep as a feature request. User excepts some behaviour of internal php functions and the impl. should be not allowed to be redefined by the user.

I belive the current behaviour is more or less side effect of the current implementation. Constants, class methods, ... all can not be redeclared.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 13:01:31 2024 UTC