Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99210 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7637 invoked from network); 28 May 2017 03:20:31 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 May 2017 03:20:31 -0000 Authentication-Results: pb1.pair.com smtp.mail=own3mall@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=own3mall@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.46 as permitted sender) X-PHP-List-Original-Sender: own3mall@gmail.com X-Host-Fingerprint: 209.85.215.46 mail-lf0-f46.google.com Received: from [209.85.215.46] ([209.85.215.46:34855] helo=mail-lf0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7D/00-06590-EF14A295 for ; Sat, 27 May 2017 23:20:30 -0400 Received: by mail-lf0-f46.google.com with SMTP id a5so20999187lfh.2 for ; Sat, 27 May 2017 20:20:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=PbA6sbNXWWk2TeEPpjM1qHj/O7NAw25ZwNpzLttCc5s=; b=sKPeeZRD/BymQUrZmKZSyxakxJwPU3HDzwGyqcl3EtmXrDI0bscrYQANL74eFMl/GY fCXTpj02ejzjofuBbJQ+wucLNd0nQQPWu3EiBUT8ic9CPpHPvbz+sK4DO8piQPH4ICJI WKTuWv5ed7FM59A9P1OQm5FME1gLAVUq+ezhSxr7HEqttmLZVpgSvu1g6tdxsCAMyiQZ Iu6BBR1eDoTvUIg0Xr37CIyZM0SW4FRdyJFg8zEAFgm9veDWTNm7Unt/K7ET1O20t3kG Euf24kP3lrksSLHnmJK0WtVL4LGMTFhT9AuytwwLT1RdbhcRrgA41SGIrenQHUm7xh7G YEDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=PbA6sbNXWWk2TeEPpjM1qHj/O7NAw25ZwNpzLttCc5s=; b=R32VIP5c28ZCAst5R8/zzagS+tT60x2KRiBRlrsJvYDOOleDmij2dVEd4mufckLSIQ tm8DDt2XHZG68LTIuX8s+7Bf7wTfbdQ9pGeV6U0RW8LTfqiRsVpLkclpxgPKfS3Jlq+E SWgZV40ggtjIMYT34k07LYKKxbrEQmYdKYOqCAJWg9SWtmG9PxT7EGEBUbVt+Exp49tH PfBM84Y9Ap5iI/x+IijR0TJAQh+Cbq786eDx7m28bqgfmLDVwGE3g+xzATa/PHIbaH6W TKSdDBO5KZZkTuk9rjuGT01HTCY77i3ECL2f4VrXXwsaCqv7hVw0lR81UXsGC4V98WLJ EEeg== X-Gm-Message-State: AODbwcBueOj8P0OgDiC35qUi1G/g0IoPjmkgxpIDXox8C5AqQGa2Hfaw 1RpOiKhxRfAqGDASwfH9txngZjE//4t6 X-Received: by 10.46.13.2 with SMTP id 2mr2922782ljn.93.1495941627166; Sat, 27 May 2017 20:20:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.196.23 with HTTP; Sat, 27 May 2017 20:20:26 -0700 (PDT) Date: Sat, 27 May 2017 21:20:26 -0600 Message-ID: To: internals@lists.php.net Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] Improve (disable|enable)_functions #65386 From: own3mall@gmail.com (OwN-3m-All) Is there any update on this request? I can see quite a few security concerns that could be mitigated if we could enable and disable certain functions at the virtual host level. nginx paired with php-fpm appears to already work this way. For consistency purposes, shouldn't this be implemented in the apache php module as well? It should work the way nginx does. For example, in nginx, I can use the following (below is just a sample example): server { listen 80; server_name example.com; root {homedir}/httpdocs; index index.html index.htm index.php; location ~ \.php$ { root {homedir}/httpdocs; include fastcgi_params; try_files $uri = 404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PHP_ADMIN_VALUE "disable_functions=exec,passthru,shell_exec,system,proc_open,popen"; fastcgi_read_timeout 300; limit_req zone=one burst=5; } } The functions specified in the domain specific configuration are properly disabled in nginx. But in Apache, this does NOT work: ServerName {domainname} DocumentRoot {homedir}/httpdocs DirectoryIndex index.htm index.html index.php php_admin_value disable_functions "exec,passthru,shell_exec,system,proc_open,popen" Considering we can set so many other admin values in the virtual host configuration, I really don't see why this wouldn't be possible. It would be useful and improve security. I'm hoping someone can implement a solution for this at some point because until then, I plan to use nginx since I can control function usage.