Is there any update on this request?
I can see quite a few security concerns that could be mitigated if we
could enable and disable certain functions at the virtual host level.
nginx paired with php-fpm appears to already work this way. For
consistency purposes, shouldn't this be implemented in the apache php
module as well? It should work the way nginx does.
For example, in nginx, I can use the following (below is just a sample example):
server {
listen 80;
server_name example.com;
root {homedir}/httpdocs;
index index.html index.htm index.php;
location ~ \.php$ {
root {homedir}/httpdocs;
include fastcgi_params;
try_files $uri = 404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PHP_ADMIN_VALUE
"disable_functions=exec,passthru,shell_exec,system,proc_open,popen";
fastcgi_read_timeout 300;
limit_req zone=one burst=5;
}
}
The functions specified in the domain specific configuration are
properly disabled in nginx. But in Apache, this does NOT work:
<VirtualHost *>
ServerName {domainname}
DocumentRoot {homedir}/httpdocs
DirectoryIndex index.htm index.html index.php
php_admin_value disable_functions
"exec,passthru,shell_exec,system,proc_open,popen"
</VirtualHost>Considering we can set so many other admin values in the virtual host
configuration, I really don't see why this wouldn't be possible. It
would be useful and improve security. I'm hoping someone can
implement a solution for this at some point because until then, I plan
to use nginx since I can control function usage.