Hi Weilin Du
On 07.06.26 08:58, Weilin Du wrote:
We now have clarification of open_basedir that it shouldn't be rely
upon when security matters [1] since there are a lot of ways to game
it. Now, with many well-known exploitable UAFs in php, it is clear
that people could easily getshell if they can execute php codes.
Therefore, I suggest to make the same clarification on documentations
to warn people that this is an extra safety net rather than something
anyone can fully rely on.
We already have the security policy on php/php-src github repo to
reject disable_functions bypass as a security issue [2] although it is
not listed in wiki [3]. Given that, I think it is reasonable to have
warnings on our documentation to avoid the false sense of security it
weirdly provides.
I know this should goes to [email protected] but I think this
requires further discussion internally as a security policy issue,
like what we've done on open_basedir before [4]
[1] https://www.php.net/manual/en/ini.core.php
[2] https://github.com/php/php-src/security/policy
[3] https://wiki.php.net/security
[4] https://externals.io/message/115411
The docs already contain the same warning:
https://www.php.net/manual/en/ini.core.php#ini.disable-functions
You can just send a PR to the policy repo to reflect that. The wiki
entry has been moved to the policy repo, as the note at the top of the
page indicates.
Ilija
