Disable php functions within htaccess

2018-06-20 23:23:36

I'm trying to create a private clone of a popular website which gives the possibility to "write php code online" as a personal exercise.

I write some code in a text area

code is executed some way server side

output is returned

I want the output to be exactly as it would be if served by an apache instance, with all the errors and warning my code generated.

There's an existing framework which serves the site webpages (a front controller, an orm and so on) so I CANT USE DISABLE FUNCTIONS IN PHP INI. Or everything wouldn't be usable at all.

I tried to save the input in a file and then run it with an exec like the following:

exec("php -c mycustomphpinifile input.php 2>&1 > output.txt");

But the errors outputted won't be the same as the apache ones.

The final solution I'm trying to adopt is to use the php_value or php_admin_value within the httpd.conf or the .htaccess in order to disable a whole list (as you can imagine) of dangerous functions.

However...

php_value disable_functions "my,functions,comma,separated"

doesn't work with such a big list as it seems. I have to disable something like 2k functions: is there any buffer size trouble with the php_value within the htaccess? Anyone can guess a solution to this problem?

According to the PHP documentation, you can't use the disable_functions setting anywhere other than in a php.ini file, so I'm very surprised this is working at all.

If you need per-vhost or per-directory restrictions on functions, I would suggest using separate instances of PHP-FPM, each of which can have its own php.ini . It also provides additional security benefits, such as complete sandboxing per daemon instance.

That can't be done in an .htaccess . More info here.

But it does seem it can be done this way. Refer to the section that states 'in .htaccess in your public_html add the following:' here:

php_flag short_open_tag Off
php_flag register_globals Off
php_flag display_errors Off
php_flag magic_quotes_gpc Off
php_value date.timezone "Europe/Athens"
php_value session.save_path "/absolute/path/to/writable/folder/one_level_up_of/public_html"

Note where it states:

php_value disable_functions "system, exec, passthru, shell_exec, suexec, dbmopen, popen, proc_open, disk_free_space, diskfreespace, set_time_limit, leak"

And the footnote regarding that:

these settings can only be changed through default php.ini file, if there are not configured as needed and you haven't access to php.ini contact to your hosting provider to set them for you!

EDIT: Also, do you have access the actual Apache2 virtual host configs? If so then you might want to research how to use suhosin.executor.func.blacklist instead; see this page. Seems like that is a nicer way to have PHP functions disabled on a per host/domain basis. Perhaps even per <Directory> or <Location> ?

<VirtualHost 127.0.0.1>
ServerAlias www.test.com
ServerAdmin webmaster@test.com
DocumentRoot /home/test/public_html

php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg"

</VirtualHost>

您需要在您的vhost.conf文件或您的.htaccess文件中使用php_admin_value而不是php_value

<Directory /your/application/dir>
    AllowOverride None
    DirectoryIndex index.html index.htm index.php
    php_flag log_errors on
    php_flag display_errors off
    php_value error_reporting 3
    php_value memory_limit 128M
    php_admin_value upload_tmp_dir "/your/application/dir/imagecache"
    php_value max_execution_time 10
    php_admin_value disable_functions "exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source"
</Directory>

链接地址: http://www.djcxy.com/p/58924.html

上一篇: ErrorHandling php

下一篇: 在htaccess中禁用php函数