ID: 50802 User updated by: h dot reindl at thelounge dot net Reported By: h dot reindl at thelounge dot net Status: Wont fix Bug Type: Feature/Change Request Operating System: All PHP Version: 5.2.12 New Comment:
> Suhosin doesn't disable functions. > It adds a separate blacklist > mechanism. Yes, and it works fine > This bug was about being able to do per-request disabling > with the existing disable_function mechanism. And shows that the existing mechnism is poorly implemented if you need a extension to make a SECURITY-SETTING usable which is able to do nearly the same and would not be needed if the php-core does handle this better Previous Comments: ------------------------------------------------------------------------ [2010-01-29 15:39:30] [email protected] Suhosin doesn't disable functions. It adds a separate blacklist mechanism. This bug was about being able to do per-request disabling with the existing disable_function mechanism. ------------------------------------------------------------------------ [2010-01-29 14:43:51] h dot reindl at thelounge dot net http://www.webhostingtalk.com/showthread.php?t=623944 If it is not possible because performance why it works with suhosin-extension perfectly with the only problem that "function_exists()" does not realize the suhosin setting? Sorry, but this sounds like "it's possible but i say is not because i do not like to touch the code" ------------------------------------------------------------------------ [2010-01-19 20:47:32] h dot reindl at thelounge dot net Hm very bad - so i have three choises * allow a function i would never like on all hosts * make a own httpd-instance for 2 vhosts * change the whole company-infrastructure especially adminpanel > The performance hit would be way too high About what time-gain are we speaking? I can not believe that refresh this list takes a really long time With open_basedir it works also and you have to check this before every fs-operation - where is the difference and would it not make sense to look how to optimize initalizing the functon table? > I agree with you that the phpinfo() out is misleading, > but that's not what you filed a bug about. Of course i have because i saw this day that a function is active that should not and i never ever would have configured the machine this way if phpinfo() had not shown me that the configuration is active ------------------------------------------------------------------------ [2010-01-19 20:37:26] [email protected] Of course it is per-request. The same Apache/PHP process will handle different virtual hosts from one request to the next. Allowing per- dir/per-vhost changing of the function table would mean we have to reload the function table on each and every request. I agree with you that the phpinfo() out is misleading, but that's not what you filed a bug about. ------------------------------------------------------------------------ [2010-01-19 20:30:38] h dot reindl at thelounge dot net Are you sure that this is "per-request"? It must not be allowed in htaccess because the ftp-owner could change It should be only read at startup with the server-configuration like "open_basedir", the really working security-settings per host you get only while combine "open_basedir" and "disable_functions" In some situations this would mean you need a own apache-instance with a own "php.ini" on an internal port and a proxy-configuration outside what is not nice to administrate However, phpinfo() never should show ignored values from httpd.conf or .htaccess because this is the place where the developers will look and if you confiure settings that not shown in php.ini you see this in phpinfo() and can take a look why ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/50802 -- Edit this bug report at http://bugs.php.net/?id=50802&edit=1
