Php: How to Disable Dangerous Functions

PHP: How To Disable Dangerous Functions

To disable functions, mainly for security reasons, you can use the disable_functions directive in your php.ini configuration file.

But, as the documentation states :

This directive must be set in php.ini
For example, you cannot set this in
httpd.conf.

I suppose this is too "internal" to be configurable anywhere else than in PHP... And as it's security related, it's up to the system administrator to configure it.

Still, the best security measure is to write clean/secure code, filter all input, escape all output... And not let anyone run their own code on your server !

How to deny the use of dangerous PHP functions?

Forget it. Reliable function whitelisting is not possible in php. Example:

$x = 'e' . str_replace('y', 'x', 'yec');
...lots of code...
$x('format c:');

realistic options are

• disabling functions (http://php.net/manual/en/ini.core.php#ini.disable-functions)
• sandboxing (see Recommendations for sandboxing inside PHP5 or alternatives?)

Programmatically disable specific PHP functions for testing

You can use runkit_function_remove to remove any defined function, I think:

runkit_function_remove('curl_init');

And, as per the documentation:

Note: By default, only userspace functions may be removed, renamed, or modified. In order to override internal functions, you must enable the runkit.internal_override setting in php.ini.

How to disable eval function without going to php.ini file?

It won't work, because eval() is not a function - it's a language construct. You can disable it with suhosin, a protection system for PHP. That's the only way I know of.

From PHP.net:

Note: Because this is a language construct and not a function,
it cannot be called using variable functions 

Disable php functions within htaccess

According to the PHP documentation, you can't use the disable_functions setting anywhere other than in a php.ini file, so I'm very surprised this is working at all.

If you need per-vhost or per-directory restrictions on functions, I would suggest using separate instances of PHP-FPM, each of which can have its own php.ini. It also provides additional security benefits, such as complete sandboxing per daemon instance.

How do I disable a function(s) from usage in PHP?

In the php.ini configuration file, you can use the disable_functions parameter. For example, to disable the symlink() and system() functions, you would use:

disable_functions = "symlink,system"

How to disable ini_set and exec for a particular VirtualHost?

You're looking for the disable_functions entry in your php.ini.
So you want a different php.ini for your particular VirtualHost. That could be done via "PHPINIDir"

<virtualhost *:80>
    ServerName www.example.com
    DocumentRoot /path/to/example.com
    PHPINIDir /whatever/path/to/php.ini
</virtualhost>

UPDATE: I removed the example with php_admin_value because, as others have noted in the comments, it wouldn't work with this particular setting. As was discussed here: php_admin_value disable_functions not working ( sorry ... should have looked it up beforehand).

Sharing access to use PHP for users - any tips?

Don't. There is no way to do this safely.

PHP was not designed for this application. It has no way to filter function calls at runtime.

Filtering user-generated code is unlikely to be effective either. There are a lot of subtle ways to bypass all of the obvious approaches to filtering -- for instance, a function call can be concealed by using indirect function call syntax:

$fn = "system";
$fn("evil command");

or by using commands which you may not realize are equivalent to eval, such as assert, create_function, or even preg_exec in some versions of PHP.

Why PHP function `curl_exec ` should be disabled?

It could be used to create a request loop on itself, which would lock the server. It could also be used to impersonate the site or proxy requests. If those are good enough reasons to disable curl_exex, really depends how much you trust the code.

---

Related Topics