"disable_functions" php.ini option does not work on Zend extensions

Bug #49065	"disable_functions" php.ini option does not work on Zend extensions
Submitted:	2009-07-26 15:23 UTC	Modified:	2009-07-29 00:19 UTC
From:	yoram dot b at zend dot com	Assigned:
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5.*, 6SVN (2009-07-26)	OS:	*
Private report:	No	CVE-ID:	None

[2009-07-26 15:23 UTC] yoram dot b at zend dot com

Description:
------------
that is actually easy, in main.c :
1991     php_ini_register_extensions(TSRMLS_C);
1992     zend_startup_modules(TSRMLS_C);
1993
1994     /* disable certain classes and functions as requested by php.ini */
1995     php_disable_functions(TSRMLS_C);
1996     php_disable_classes(TSRMLS_C);
1997
1998     /* start Zend extensions */
1999     zend_startup_extensions();
As you can see, zend_extensions are started after php_disable_functions()

That might be a security whole, at list when not documented.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-07-26 15:25 UTC] yoram dot b at zend dot com

security hole, of course...)

[2009-07-29 00:19 UTC] stas@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

fixed, thanks