disable_functions and suhosin.executor.func.blacklist

thunn

Verified User
Joined
Mar 13, 2012
Messages
167
Dear Supporters,

I'm a bit confuse about role of these settings:
Code:
[B]disable_functions[/B]
This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode.

Only internal functions can be disabled using this directive. User-defined functions are unaffected.

This directive must be set in php.ini For example, you cannot set this in httpd.conf.

Code:
[B]suhosin.executor.func.blacklist[/B]
Comma separated blacklist of functions that are not allowed to be called. If no whitelist is given, calling a function within the blacklist will terminate the script and get logged.

Can someone explain more detail for me?

Thank you.
 
Yes, I want to know the difference between disable_functions in php.ini and suhosin.executor.func.blacklist in php.ini

Looks like disable_function still allow script to continue working and ignore function listed while suhosin.executor.func.blacklist make the script terminate if a function in black list.

Thanks.
 
Looks like disable_function still allow script to continue working and ignore function listed while suhosin.executor.func.blacklist make the script terminate if a function in black list.

I would not say so. What is your script?
 
The script I mean PHP please.

For example, I have a function that use ini_set
So if I put ini_set in disable_function, does the ini_set will be ignore, and php script still running?

if I put ini_set in suhosin.executor.func.blacklist, does the ini_set will be kill and php script stopped?
 
Last edited:
Did you try it yourself? I see this

Code:
Warning: ini_set() has been disabled for security reasons in - on line 2

with

PHP:
<?php
ini_set('session.save_path','/tmp');
print ini_get('session.save_path');
?>

in both cases, no matter how ini_set is denied, either by disable_function or suhosin.executor.func.blacklist.

and see nothing with error_reporting set to 0 if ini_set is disabled by suhosin.executor.func.blacklist:

PHP:
<?php
error_reporting(0);
ini_set('session.save_path','/tmp');
print ini_get('session.save_path');

and see this


if ini_set is disabled disable_function.

So I don't still get what exactly troubles you?

So it depends, on error_reporting settings.
 
Yes, I simple curious about difference of disable_functions and suhosin.executor.func.blacklist.

I've just try again and have answer.
I see this with disable_functions:
ini_set('session.save_path','/tmp');
with ini_set in disable_functions => Script still work but session.save_path still working with old path, not "/tmp"
I check log and see message too: Warning: ini_set() has been disabled for security reasons

With suhosin.executor.func.blacklist, it's difference:
ini_set('session.save_path','/tmp');
ALERT - function within blacklist called: ini_set()

And return a blank page. That mean suhosin has terminate php script when it found ini_set in black list.

Thanks Alex.
 
Back
Top