View Full Version : disable_functions directive

01-11-2010, 09:10 AM
I'm currently working with a team to develop a CMS which allows the user to add some PHP functions to their page. We're are getting to the point where we are going to work on that function of the CMS, and I was just wondering what functions would you disable? I've got the basics, but what other ways do people know where security can be put at risk by allowing users to write (and execute) PHP scripts?

I've got the basic list here (For those who don't know, this is to be used in the php.ini file):

disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_sourc e

My team haven't begun discussion about this matter yet, but I was just curious about it.

01-11-2010, 04:51 PM
pcntl_exec() is the only one that I don't see in your list that could be used to execute system commands. but you may also want to remove rmdir(), unlink(), and such.

01-11-2010, 05:51 PM
I wouldn't disable anything. Its not the responsibility of software developers to disable directives and functions, its our job to work around anything thats limiting us. If you need to use commonly disabled functions, make note of this in you're documentation, otherwise you shouldn't really care if they are enabled or disabled since it doesn't affect you're software.
Many people do not have the ability to alter their ini files, and disable_functions must be altered from the ini file.