ID: 50802 Updated by: [email protected] Reported By: h dot reindl at thelounge dot net Status: Wont fix Bug Type: Feature/Change Request Operating System: All PHP Version: 5.2.12 New Comment:
Suhosin doesn't disable functions. It adds a separate blacklist mechanism. This bug was about being able to do per-request disabling with the existing disable_function mechanism. Previous Comments: ------------------------------------------------------------------------ [2010-01-29 14:43:51] h dot reindl at thelounge dot net http://www.webhostingtalk.com/showthread.php?t=623944 If it is not possible because performance why it works with suhosin-extension perfectly with the only problem that "function_exists()" does not realize the suhosin setting? Sorry, but this sounds like "it's possible but i say is not because i do not like to touch the code" ------------------------------------------------------------------------ [2010-01-19 20:47:32] h dot reindl at thelounge dot net Hm very bad - so i have three choises * allow a function i would never like on all hosts * make a own httpd-instance for 2 vhosts * change the whole company-infrastructure especially adminpanel > The performance hit would be way too high About what time-gain are we speaking? I can not believe that refresh this list takes a really long time With open_basedir it works also and you have to check this before every fs-operation - where is the difference and would it not make sense to look how to optimize initalizing the functon table? > I agree with you that the phpinfo() out is misleading, > but that's not what you filed a bug about. Of course i have because i saw this day that a function is active that should not and i never ever would have configured the machine this way if phpinfo() had not shown me that the configuration is active ------------------------------------------------------------------------ [2010-01-19 20:37:26] [email protected] Of course it is per-request. The same Apache/PHP process will handle different virtual hosts from one request to the next. Allowing per- dir/per-vhost changing of the function table would mean we have to reload the function table on each and every request. I agree with you that the phpinfo() out is misleading, but that's not what you filed a bug about. ------------------------------------------------------------------------ [2010-01-19 20:30:38] h dot reindl at thelounge dot net Are you sure that this is "per-request"? It must not be allowed in htaccess because the ftp-owner could change It should be only read at startup with the server-configuration like "open_basedir", the really working security-settings per host you get only while combine "open_basedir" and "disable_functions" In some situations this would mean you need a own apache-instance with a own "php.ini" on an internal port and a proxy-configuration outside what is not nice to administrate However, phpinfo() never should show ignored values from httpd.conf or .htaccess because this is the place where the developers will look and if you confiure settings that not shown in php.ini you see this in phpinfo() and can take a look why ------------------------------------------------------------------------ [2010-01-19 20:22:55] [email protected] It is not technically feasible to support per-request changing of the function table, sorry. The performance hit would be way too high to be useful. This can only be set at startup which is why it is php.ini only. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/50802 -- Edit this bug report at http://bugs.php.net/?id=50802&edit=1
