Edit report at https://bugs.php.net/bug.php?id=62397&edit=1
ID: 62397
User updated by: spamik at yum dot pl
Reported by: spamik at yum dot pl
Summary: disable_functions = eval does not work
Status: Not a bug
-Type: Bug
+Type: Feature/Change Request
Package: *General Issues
PHP Version: 5.3.14
Block user comment: N
Private report: N
New Comment:
I think that that not only should be done but also made default php behavior,
to
stop widespread madness of php code infection. Eval should be by default
disabled
in php like 5.5 ...
Previous Comments:
------------------------------------------------------------------------
[2012-06-24 04:02:31] spamik at yum dot pl
feature request then
------------------------------------------------------------------------
[2012-06-24 03:59:29] krzf83 at gmail dot com
treat it as feature request if it helps you sleep at night. However this issue
is
critical in face of current mailicous code boom. Eval (by base64_encode etc)
does
not allow for any scanning and detection. This funcionality of php had begun
its
downfall really. People are migrating to other languages just because
infections
there are rare and code cannot be just like that obfucated!
------------------------------------------------------------------------
[2012-06-24 03:56:32] krzf83 at gmail dot com
"eval is not a function but language construct" - that might be the reason why
disable_functions don't work on it now but that does not mean it could not or
should not.
I would not dismiss this isssue so easily. Eval problem caused that php is
currently (almost) only one language is so often infected. It allows for
attacker to hide code, purpose, use ecodings (like base64) to diminish any hope
of detection by searching for common traits (like antivirus software does).
Eval is a functionality of php and could be disabled if apropriate
modifications
to php source code were made.
------------------------------------------------------------------------
[2012-06-23 12:52:55] bobwei9 at hotmail dot com
Why can't you simply add a new core directive for disabling this language
construct?
------------------------------------------------------------------------
[2012-06-23 12:29:45] larue...@php.net
as I said, eval is not a *function*, so disable_*functions* has no effect to
eval..
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=62397
--
Edit this bug report at https://bugs.php.net/bug.php?id=62397&edit=1
