Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:120902 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 96142 invoked from network); 14 Aug 2023 20:12:08 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 14 Aug 2023 20:12:08 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 12A301804B0 for ; Mon, 14 Aug 2023 13:12:08 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-oa1-f53.google.com (mail-oa1-f53.google.com [209.85.160.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 14 Aug 2023 13:12:07 -0700 (PDT) Received: by mail-oa1-f53.google.com with SMTP id 586e51a60fabf-1c4af84667bso2191907fac.1 for ; Mon, 14 Aug 2023 13:12:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692043927; x=1692648727; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3EpGqDUSuXgoZgFMWZqiUyZamY92TtvH48Spx5bugxg=; b=aTTZOr0L8wXxuECFATAyYagSOTtCINm2s1iPSTZMnfHBTcDMS5LuYrTQ4UgAYEMBoU LJ36Hz2w9NxiW7sRDN/1keWdj6UpHbXVAfPFDOfsx8zZ8YJfv9FW/f+nPFzg5I1W9cgX 9Flf6Ob3JO3dq3RLARffepKEaygCqIUuXfYT4v8f7e7PUkhOZm/N6MMGgJIN7DYBumAY U0jVr+SS4sYPz4w2tZ15DJNv9Z7ORLIokiZm+ifx049o2dAPTBRRUTpbEF+1ESZ2AEJX oNF7QpBxtO7a9pt3XhqvgkahWIO2rnatnB6D2ngflLQTft3kPamhoQwJ+RtyZwsbzPyx OOMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692043927; x=1692648727; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3EpGqDUSuXgoZgFMWZqiUyZamY92TtvH48Spx5bugxg=; b=T39a0B4zTXsBlOUF9ivSH0g5ggElGS8GQIVU8AnEWCOdPi0cmdVgx5Wujs9o4P/YgZ QJ0nixjkvUQvCMeqtN1KeMhhRxKmjzXZg3iyBhh69Rz+iaQWdvZDZi4tzudOt67MZ29y HSIZcNDKfakzAgoySO6N0saPWKcBNo4wcir+gnn5ImfrT8D1QSjK6Xc49VGX0qgNyOLb p/pCbcvS93jNaSGnute7USWW28egcjQruhukNYT11BBNWl6qIZOEPoEgj1Ygj3dox1nW 4dwV2Jupe2jYDHKRvVOQkuHymKbuDHnSRJhxGWk0JRop4SVCoCb0ex+hqdUD98LlJu3N iEHg== X-Gm-Message-State: AOJu0Yx3rxvYICVDMBbA+yNVz0HF9Trmj9NvsExxIQjnIaU2PgPxaX+M 7Dowwqcn+8YllXW/JqcsooiUfV4U6BpChmkH/cIwwDYGbO4= X-Google-Smtp-Source: AGHT+IHjs1YNEcva4VguHa5uYVxwvVQWlf3KvjfOZgTde3SkmRDPETrE+RVcrwnsMdflxwluW5/Jd78LRDXbon5kb6A= X-Received: by 2002:a05:6870:a107:b0:1b0:7eac:70ad with SMTP id m7-20020a056870a10700b001b07eac70admr11567152oae.39.1692043926717; Mon, 14 Aug 2023 13:12:06 -0700 (PDT) MIME-Version: 1.0 References: <64DA7ACC.1050909@adviesenzo.nl> In-Reply-To: <64DA7ACC.1050909@adviesenzo.nl> Date: Mon, 14 Aug 2023 21:11:54 +0100 Message-ID: To: Juliette Reinders Folmer Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary="0000000000003249600602e7ad64" Subject: Re: [PHP-DEV] Removing support for the disable_classes INI setting From: george.banyard@gmail.com ("G. P. B.") --0000000000003249600602e7ad64 Content-Type: text/plain; charset="UTF-8" On Mon, 14 Aug 2023 at 20:04, Juliette Reinders Folmer < php-internals_nospam@adviesenzo.nl> wrote: > Hi George, > > For what its worth: in my experience, the `disable_classes` and > `disable_functions` ini directives are mostly used by hosting companies > providing shared/virtual host environments and, most often for those > environments, not editable by their users via a control panel or nor do > these users have (edit) access to the php.ini file. > To be clear, I have no intention of deprecating or removing disable_functions. This INI setting works very well and does not cause any issue within the engine. [...] > > Would deprecating it in PHP 8.3 and removing it in PHP 9.0 be an option ? > One option is to "keep" the INI setting, but have it basically do nothing. Is this what you had in mind? > As for the lack of bug reports - the typical type of end users using > those hosts will not know to report these type of issues to PHP (or even > be able to properly identify the issue). Instead they will complain > extensively to whatever open source project (read: WordPress) they are > running on the shared hosting without providing enough information for > the open source maintainers to even begin to identify the actual > issue... ;-) > On a minimal build of PHP, with only the mandatory extensions enabled, there are 148 classes/interfaces/traits defined. [1] Other than the SPL ones (and even then), disabling any of these classes will cause issues within the engine. Moreover, the SPL ones are not a security concern. Therefore, any other class that can be disabled must come from an extension that can be disabled altogether. And "disabling" a class from an extension without disabling said extension will render it useless anyway. If a hosting provided is concerned about an extension, then it should not enable it in the first place. Not break it ad hoc. Considering the above, I cannot see how this functionality was ever useful. This is in stark contrast to disable_functions, which can be used to selectively remove functionality of an extension without breaking it overall. George P. Banyard [1] https://gist.github.com/Girgias/63d55ba1e50b580412b004046daed02b --0000000000003249600602e7ad64--