php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81087 Disabled function must not be allowed to declare in script
Submitted: 2021-05-27 17:30 UTC Modified: 2021-05-27 20:04 UTC
From: mvorisek at mvorisek dot cz Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 8.0.6 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mvorisek at mvorisek dot cz
New email:
PHP Version: OS:

 

 [2021-05-27 17:30 UTC] mvorisek at mvorisek dot cz
Description:
------------
See https://3v4l.org/DNoNp

As of PHP 8.0 disabled function are removed before the script is run.

But the function name can be redeclared in script which can imply a script security issue.

Imagine proc_open (and all related) functions are disabled. Some 3rd party can redeclare this function. When some script checks for existence of that function, check passes and completely different implementation is run. This should be not possible.

It is fine that function_exists returns false for disabled function, but injecting function with the same name must result in a fatal error.

Test script:
---------------
<?php

var_dump(ini_get('disable_functions')); // string(22) "proc_open,phpinfo,mail"

eval('function proc_open() { echo \'x\'; }');
proc_open();

Expected result:
----------------
see desc, fatal error

Actual result:
--------------
string(22) "proc_open,phpinfo,mail"
x

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-27 17:37 UTC] krakjoe@php.net
-Status: Open +Status: Feedback
 [2021-05-27 17:37 UTC] krakjoe@php.net
If a third party has the access necessary to declare a new function, isn't it too late to plug the security hole you imagine this opens up ?

It's now a possibility for normal code to disable an inbuilt function because it wasn't to declare another implementation, I'm not sure why we should not allow that.
 [2021-05-27 17:39 UTC] krakjoe@php.net
*because it wants
 [2021-05-27 20:04 UTC] girgias@php.net
-Status: Feedback +Status: Not a bug
 [2021-05-27 20:04 UTC] girgias@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

See the migration guide, this is intended behaviour:

> Disabled functions are now treated exactly like non-existent functions. Calling a > disabled function will report it as unknown, and redefining a disabled function is > now possible.
 [2021-05-27 20:12 UTC] m at m dot cz
Please keep as a feature request. User excepts some behaviour of internal php functions and the impl. should be not allowed to be redefined by the user.

I belive the current behaviour is more or less side effect of the current implementation. Constants, class methods, ... all can not be redeclared.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu May 19 05:05:44 2022 UTC