is_callable and function_exists with disable_functions

9 years ago by Xinchen Hui — view source

unread

Hey Internal:

there is one confused behavior with disable_functions:

 $ sapi/cli/php -n -d disable_functions=strlen -r

'var_dump(function_exists("strlen"));
var_dump(is_callable("strlen"));'
bool(false)
bool(true)

  as you can see,  strlen is disabled by disable_functions.

  function_exisis tell it is not exists but is_callable said it is

callable..

  do you mind if I change the current behavior of is_callable , to

return false on this case?

  or, at least, change function_exists's behavior instead?

thanks

--
Xinchen Hui
@Laruence
http://www.laruence.com/

9 years ago by Remi Collet — view source

unread

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 26/03/2015 16:21, Xinchen Hui a écrit :

Hey Internal:

there is one confused behavior with disable_functions:

$ sapi/cli/php -n -d disable_functions=strlen -r
'var_dump(function_exists("strlen"));
var_dump(is_callable("strlen"));' bool(false) bool(true)

as you can see, strlen is disabled by disable_functions.

function_exisis tell it is not exists but is_callable said it is
callable..

do you mind if I change the current behavior of is_callable , to
return false on this case?

Make sense

or, at least, change function_exists's behavior instead?

Seems a bad idea.

Remi.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlUUJokACgkQYUppBSnxahh+twCgs0dJR8Vt1Tj0VK/9kD0llrp0
OIsAn0uw9zd8fSY5mjbvEkTeh0Ehu2Zs
=Ue6n
-----END PGP SIGNATURE

9 years ago by Kalle Sommer Nielsen — view source

unread

Forgot to CC list

---------- Forwarded message ----------
From: Kalle Sommer Nielsen kalle@php.net
Date: 2015-03-26 20:06 GMT+01:00
Subject: Re: [PHP-DEV] is_callable and function_exists with disable_functions
To: Remi Collet remi@fedoraproject.org

2015-03-26 16:32 GMT+01:00 Remi Collet remi@fedoraproject.org:

do you mind if I change the current behavior of is_callable , to
return false on this case?

Make sense

or, at least, change function_exists's behavior instead?

Seems a bad idea.

I agree with both points here, I think is_callable() should mimic
function_exists() behavior, is this the same case for disable_classes?

--
regards,

Kalle Sommer Nielsen
kalle@php.net

--
regards,

Kalle Sommer Nielsen
kalle@php.net

9 years ago by Xinchen Hui — view source

unread

Hey:

Forgot to CC list

---------- Forwarded message ----------
From: Kalle Sommer Nielsen kalle@php.net
Date: 2015-03-26 20:06 GMT+01:00
Subject: Re: [PHP-DEV] is_callable and function_exists with disable_functions
To: Remi Collet remi@fedoraproject.org

2015-03-26 16:32 GMT+01:00 Remi Collet remi@fedoraproject.org:

do you mind if I change the current behavior of is_callable , to
return false on this case?

Make sense

or, at least, change function_exists's behavior instead?

Seems a bad idea.

I agree with both points here, I think is_callable() should mimic
function_exists() behavior, is this the same case for disable_classes?

yeah. but a little bit different

class_exists return trun with disabled classes :<

$ sapi/cli/php -d disable_classes=ArrayObject -r
"var_dump(class_exists('arrayobject')); new ArrayObject(); "
bool(true)
PHP Warning: ArrayObject() has been disabled for security reasons in
Command line code on line 1

Warning: ArrayObject() has been disabled for security reasons in
Command line code on line 1

thanks

--
regards,

Kalle Sommer Nielsen
kalle@php.net

--
regards,

Kalle Sommer Nielsen
kalle@php.net

--

--
Xinchen Hui
@Laruence
http://www.laruence.com/

9 years ago by Yasuo Ohgaki — view source

unread

Hi all,

On Fri, Mar 27, 2015 at 3:06 AM, Kalle Sommer Nielsen kalle@php.net
wrote:

Forgot to CC list

---------- Forwarded message ----------
From: Kalle Sommer Nielsen kalle@php.net
Date: 2015-03-26 20:06 GMT+01:00
Subject: Re: [PHP-DEV] is_callable and function_exists with
disable_functions
To: Remi Collet remi@fedoraproject.org

2015-03-26 16:32 GMT+01:00 Remi Collet remi@fedoraproject.org:

do you mind if I change the current behavior of is_callable , to
return false on this case?

Make sense

or, at least, change function_exists's behavior instead?

Seems a bad idea.

I agree with both points here, I think is_callable() should mimic
function_exists() behavior, is this the same case for disable_classes?

yeah. but a little bit different

class_exists return trun with disabled classes :<

$ sapi/cli/php -d disable_classes=ArrayObject -r
"var_dump(class_exists('arrayobject')); new ArrayObject(); "
bool(true)
PHP Warning: ArrayObject() has been disabled for security reasons in
Command line code on line 1

Warning: ArrayObject() has been disabled for security reasons in
Command line code on line 1

Returning true for is_callable/class_exists even when it isn't usable does
not make much sense. How about fix them all?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

9 years ago by Xinchen Hui — view source

unread

Hey:

Hi all,

On Fri, Mar 27, 2015 at 3:06 AM, Kalle Sommer Nielsen kalle@php.net
wrote:

Forgot to CC list

---------- Forwarded message ----------
From: Kalle Sommer Nielsen kalle@php.net
Date: 2015-03-26 20:06 GMT+01:00
Subject: Re: [PHP-DEV] is_callable and function_exists with
disable_functions
To: Remi Collet remi@fedoraproject.org

2015-03-26 16:32 GMT+01:00 Remi Collet remi@fedoraproject.org:

do you mind if I change the current behavior of is_callable , to
return false on this case?

Make sense

or, at least, change function_exists's behavior instead?

Seems a bad idea.

I agree with both points here, I think is_callable() should mimic
function_exists() behavior, is this the same case for disable_classes?

yeah. but a little bit different

class_exists return trun with disabled classes :<

$ sapi/cli/php -d disable_classes=ArrayObject -r
"var_dump(class_exists('arrayobject')); new ArrayObject(); "
bool(true)
PHP Warning: ArrayObject() has been disabled for security reasons in
Command line code on line 1

Warning: ArrayObject() has been disabled for security reasons in
Command line code on line 1

Returning true for is_callable/class_exists even when it isn't usable does
not make much sense. How about fix them all?

I filed a bug here: https://bugs.php.net/bug.php?id=69315&thanks=4

will make a fix soon

thanks

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--
Xinchen Hui
@Laruence
http://www.laruence.com/

9 years ago by Dmitry Stogov — view source

unread

Unfortunately this id not so simple :(

If we change class_exists() the following code will stop working

<?php
if (!class_exists("SomeInternalClass")) {
class SomeInternalClass {}
}
?>

On the other hand function_exists() already behaves differently. (so
function_exists() and class_exists() are inconsistent) :(
Changing is_callable() semantic may be dangerous as well.
What is we disable strcmp() and then pass is as a callback to usort()?

I wouldn't make any changes in hurry. this should be discussed and analysed
carefully.

However preventing conversion of disabled functions into opcodes and their
optimization makes full sense.

Thanks. Dmitry.

Hey:

Hi all,

On Fri, Mar 27, 2015 at 3:06 AM, Kalle Sommer Nielsen kalle@php.net
wrote:

Forgot to CC list

---------- Forwarded message ----------
From: Kalle Sommer Nielsen kalle@php.net
Date: 2015-03-26 20:06 GMT+01:00
Subject: Re: [PHP-DEV] is_callable and function_exists with
disable_functions
To: Remi Collet remi@fedoraproject.org

2015-03-26 16:32 GMT+01:00 Remi Collet remi@fedoraproject.org:

do you mind if I change the current behavior of is_callable , to
return false on this case?

Make sense

or, at least, change function_exists's behavior instead?

Seems a bad idea.

I agree with both points here, I think is_callable() should mimic
function_exists() behavior, is this the same case for disable_classes?

yeah. but a little bit different

class_exists return trun with disabled classes :<

$ sapi/cli/php -d disable_classes=ArrayObject -r
"var_dump(class_exists('arrayobject')); new ArrayObject(); "
bool(true)
PHP Warning: ArrayObject() has been disabled for security reasons in
Command line code on line 1

Warning: ArrayObject() has been disabled for security reasons in
Command line code on line 1

Returning true for is_callable/class_exists even when it isn't usable
does
not make much sense. How about fix them all?

I filed a bug here: https://bugs.php.net/bug.php?id=69315&thanks=4

will make a fix soon

thanks

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--
Xinchen Hui
@Laruence
http://www.laruence.com/

9 years ago by Xinchen Hui — view source

unread

Hey:

Unfortunately this id not so simple :(

If we change class_exists() the following code will stop working

<?php
if (!class_exists("SomeInternalClass")) {
class SomeInternalClass {}
}
?>

On the other hand function_exists() already behaves differently. (so
function_exists() and class_exists() are inconsistent) :(
Changing is_callable() semantic may be dangerous as well.
What is we disable strcmp() and then pass is as a callback to usort()?

too bad :<

I wouldn't make any changes in hurry. this should be discussed and analysed
carefully.

However preventing conversion of disabled functions into opcodes and their
optimization makes full sense.

okey, I will separate these part to a single fix

thanks

Thanks. Dmitry.

Hey:

Hi all,

On Fri, Mar 27, 2015 at 3:06 AM, Kalle Sommer Nielsen kalle@php.net
wrote:

Forgot to CC list

---------- Forwarded message ----------
From: Kalle Sommer Nielsen kalle@php.net
Date: 2015-03-26 20:06 GMT+01:00
Subject: Re: [PHP-DEV] is_callable and function_exists with
disable_functions
To: Remi Collet remi@fedoraproject.org

2015-03-26 16:32 GMT+01:00 Remi Collet remi@fedoraproject.org:

do you mind if I change the current behavior of is_callable , to
return false on this case?

Make sense

or, at least, change function_exists's behavior instead?

Seems a bad idea.

I agree with both points here, I think is_callable() should mimic
function_exists() behavior, is this the same case for
disable_classes?

yeah. but a little bit different

class_exists return trun with disabled classes :<

$ sapi/cli/php -d disable_classes=ArrayObject -r
"var_dump(class_exists('arrayobject')); new ArrayObject(); "
bool(true)
PHP Warning: ArrayObject() has been disabled for security reasons in
Command line code on line 1

Warning: ArrayObject() has been disabled for security reasons in
Command line code on line 1

Returning true for is_callable/class_exists even when it isn't usable
does
not make much sense. How about fix them all?

I filed a bug here: https://bugs.php.net/bug.php?id=69315&thanks=4

will make a fix soon

thanks

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--
Xinchen Hui
@Laruence
http://www.laruence.com/

--

--
Xinchen Hui
@Laruence
http://www.laruence.com/