|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81087 Disabled function must not be allowed to declare in script
Submitted: 2021-05-27 17:30 UTC Modified: 2021-05-27 20:04 UTC
From: mvorisek at mvorisek dot cz Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 8.0.6 OS: any
Private report: No CVE-ID: None
 [2021-05-27 17:30 UTC] mvorisek at mvorisek dot cz

As of PHP 8.0 disabled function are removed before the script is run.

But the function name can be redeclared in script which can imply a script security issue.

Imagine proc_open (and all related) functions are disabled. Some 3rd party can redeclare this function. When some script checks for existence of that function, check passes and completely different implementation is run. This should be not possible.

It is fine that function_exists returns false for disabled function, but injecting function with the same name must result in a fatal error.

Test script:

var_dump(ini_get('disable_functions')); // string(22) "proc_open,phpinfo,mail"

eval('function proc_open() { echo \'x\'; }');

Expected result:
see desc, fatal error

Actual result:
string(22) "proc_open,phpinfo,mail"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-27 17:37 UTC]
-Status: Open +Status: Feedback
 [2021-05-27 17:37 UTC]
If a third party has the access necessary to declare a new function, isn't it too late to plug the security hole you imagine this opens up ?

It's now a possibility for normal code to disable an inbuilt function because it wasn't to declare another implementation, I'm not sure why we should not allow that.
 [2021-05-27 17:39 UTC]
*because it wants
 [2021-05-27 20:04 UTC]
-Status: Feedback +Status: Not a bug
 [2021-05-27 20:04 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

See the migration guide, this is intended behaviour:

> Disabled functions are now treated exactly like non-existent functions. Calling a > disabled function will report it as unknown, and redefining a disabled function is > now possible.
 [2021-05-27 20:12 UTC] m at m dot cz
Please keep as a feature request. User excepts some behaviour of internal php functions and the impl. should be not allowed to be redefined by the user.

I belive the current behaviour is more or less side effect of the current implementation. Constants, class methods, ... all can not be redeclared.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jun 16 18:01:30 2024 UTC