Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:98278 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 55289 invoked from network); 10 Feb 2017 09:02:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 Feb 2017 09:02:34 -0000 Authentication-Results: pb1.pair.com header.from=ben.rubson@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ben.rubson@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.44 as permitted sender) X-PHP-List-Original-Sender: ben.rubson@gmail.com X-Host-Fingerprint: 74.125.82.44 mail-wm0-f44.google.com Received: from [74.125.82.44] ([74.125.82.44:36859] helo=mail-wm0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7D/4C-33872-8A18D985 for ; Fri, 10 Feb 2017 04:02:33 -0500 Received: by mail-wm0-f44.google.com with SMTP id c85so254028245wmi.1 for ; Fri, 10 Feb 2017 01:02:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=AayEz+K7isqXbvMmfJklfK6CH/EFsnMW1L8YHGiAdkA=; b=OR5lSfB8pER5DGG7esLxnkaIescVonkbXuTNsyRFFu3ysxWGHDZVvlK322ZA6xawtZ huCOG9xMBk5/WjfyNB7jcdGO+hbqzyOVkuw2W+nD60IXwf+ofqNSQfjQBKH+Yx2NVEKB enko4I1popBhFOy0H9DNd7/p2S/F+LWLkJlbC2xwMztk5htzKk63LvedGB2Cr0tlPjUK sIA0W68MIV0AYI4hEG3sSssfea0W+w2Q+pSP4LaYz0ggD+Gu8DsloGznR9Oqvc+oHI0K 9/ySKmw0a+dSPsi/1aQHztJu+GOGCBV9Zu5zLWODze1fpYLJZwI49pmCPE7cjFs1RMiL Zi8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=AayEz+K7isqXbvMmfJklfK6CH/EFsnMW1L8YHGiAdkA=; b=nQbMZeyLBfZBavbUcckHVnlNtbfoLR0EtlsECiwY39WC5JQh5VCfINM0ZocLBRCwlp nVQzPYcCdqq9KEX09ZFM5BSarBSRXhLt2O8uaZC5252oBEsiW69E9negHOI4WQ770KF7 HSN5nNvx+LwFWv069ACQp7G09/rY69It3KT6Zbi2LyfRQCw3E/jFs05mp3//pEbQ7PUA fy5HEBVXlxGaFQpVnGxPOGhMQHLbKrTYXCftUdtDFOAqyE/QcCd6nvX8PtJTyq0Dlk4j 4rvZwxMRNsG9SsVo6dF1KUPNLppE+ECdaBxxW1UN/uEaIAGUKLx1teOHnjybkClPGgjq g2XA== X-Gm-Message-State: AMke39mfgOOWwaouZnreBHHRQCRI0g+WBUET0gSV71DF8fIv3ukoTRYUHcEqDeVRPMypdw== X-Received: by 10.28.173.74 with SMTP id w71mr24535766wme.14.1486717349611; Fri, 10 Feb 2017 01:02:29 -0800 (PST) Received: from ben.home ([2a01:cb1d:125:8a00:193f:f19d:c1a:7141]) by smtp.gmail.com with ESMTPSA id w204sm504428wmd.17.2017.02.10.01.02.28 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 10 Feb 2017 01:02:28 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) In-Reply-To: Date: Fri, 10 Feb 2017 10:02:27 +0100 Content-Transfer-Encoding: quoted-printable Message-ID: <1FC170E6-5207-45F3-8DF7-8B50787DCCA7@gmail.com> References: <4CD4DCCC-6643-4A66-B6AD-4BF0EF89FDA9@gmail.com> To: PHP internals X-Mailer: Apple Mail (2.3124) Subject: Re: [PHP-DEV] Improve (disable|enable)_functions #65386 From: ben.rubson@gmail.com (Ben RUBSON) > On 09 Feb 2017, at 18:12, Sara Golemon wrote: Thank you very much Sara for your feedback ! > On Thu, Jan 19, 2017 at 6:18 AM, Ben RUBSON = wrote: >> As proposed by cmb (thank you !), I open a discussion regarding req = #65386 : >> https://bugs.php.net/bug.php?id=3D65386 >>=20 >> It summarizes requests around disable_functions directive : >> - modification of disable_functions to be a PHP_INI_SYSTEM directive = ; >>=20 > Could you clarify? `disable_functions` *IS* a PHP_INI_SYSTEM = directive: >=20 > PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) However, as per all the bugs referenced by #65386, using "php_admin_value disable_functions" in httpd.conf does not = correctly work. The main issue certainly is that it can't be used per vhost. (note that it however still affects their local ini value) >> - implementation of enable_functions as a PHP_INI_SYSTEM directive ; >>=20 > I'm not a big fan of a whitelist for weakening/overriding a blacklist = setting. (*) > There's also a technical hurdle here due to the way that functions are > (currently) disabled. It's INI_SYSTEM because enabling/disabling on a > per-request (per vhost essentially means per request) basis means a > lot more heavy lifting than disabling on a system-wide level (we just > replace the function implementation in the global table with a STFU > message). Sounds like it would then require some dev to achieve this behaviour. Would it however hurt requests performance ? > func->handler =3D ZEND_FN(display_disabled_function); >=20 >=20 >> - support of wildcards in these 2 directives. >>=20 > I could potentially get down with wildcards. It's way easier to > exhaustively cover an entire class of functions, Yep, as it's quite hard to maintain an exhaustive list of functions... > but if the goal is to > disable an entire extension's worth of functions, wouldn't one > just.... not load that extension? Because one would certainly want to re-enable one of these functions in one of its vhosts (or even globally in php.ini) :) > I understand this part makes more sense with the `enable_functions` > idea, but... see above. Yes, this would really be convenient : - in php.ini : disable_functions =3D *socket* - in a "trusted" vhost : enable_functions =3D stream_socket_client And as only the server administrator can tune these parameters, there is no weakening (*) risk :) Thank you ! Ben=