Hi,
We now have clarification of open_basedir that it shouldn't be rely upon when security matters [1] since there are a lot of ways to game it. Now, with many well-known exploitable UAFs in php, it is clear that people could easily getshell if they can execute php codes. Therefore, I suggest to make the same clarification on documentations to warn people that this is an extra safety net rather than something anyone can fully rely on.
We already have the security policy on php/php-src github repo to reject disable_functions bypass as a security issue [2] although it is not listed in wiki [3]. Given that, I think it is reasonable to have warnings on our documentation to avoid the false sense of security it weirdly provides.
I know this should goes to phpdoc@lists.php.net but I think this requires further discussion internally as a security policy issue, like what we've done on open_basedir before [4]
Best regards,
Weilin Du
[1] https://www.php.net/manual/en/ini.core.php
[2] https://github.com/php/php-src/security/policy
[3] https://wiki.php.net/security
[4] https://externals.io/message/115411
Following-up: Seems like this is more like a translation issue, the translated Simplified Chinese version (and several others) of the document miss that part of warning. The warning already exists on the English version [1].
So this suggestion should be retreated on the internal mailing list, I am updating the wiki and will send patches to translations. Sorry for the noise.
Best regards,
Weilin Du
[1] https://www.php.net/manual/en/ini.core.php#ini.disable-functions
Hi Weilin Du
We now have clarification of open_basedir that it shouldn't be rely
upon when security matters [1] since there are a lot of ways to game
it. Now, with many well-known exploitable UAFs in php, it is clear
that people could easily getshell if they can execute php codes.
Therefore, I suggest to make the same clarification on documentations
to warn people that this is an extra safety net rather than something
anyone can fully rely on.We already have the security policy on php/php-src github repo to
reject disable_functions bypass as a security issue [2] although it is
not listed in wiki [3]. Given that, I think it is reasonable to have
warnings on our documentation to avoid the false sense of security it
weirdly provides.I know this should goes to phpdoc@lists.php.net but I think this
requires further discussion internally as a security policy issue,
like what we've done on open_basedir before [4][1] https://www.php.net/manual/en/ini.core.php
[2] https://github.com/php/php-src/security/policy
[3] https://wiki.php.net/security
[4] https://externals.io/message/115411
The docs already contain the same warning:
https://www.php.net/manual/en/ini.core.php#ini.disable-functions
You can just send a PR to the policy repo to reflect that. The wiki
entry has been moved to the policy repo, as the note at the top of the
page indicates.
Ilija