I have performed some research and began building a complete list of PHP 5's builtin functions as documented on the project site.
What is the performance cost of leveraging disable_functions and/or disable_classes?
How do these global settings work?
Note that I came across a very valuable list of exploitable functions and the RIPS scanner.
However, it does seem more complete to actually block all functions and classes that aren't used in the PHP code.
分享 disable_functions removes function handlers (pointers to actual function implementations) from a PHP function list and replaces it with a handler to a dummy function which shows the warning instead:
Warning: system() has been disabled for security reasons in Command line code on line 1
It is just a processing time for PHP (every time it is invoked - a script is accessed) to do this replacement.
I'm not quite sure about disable_classes as I've never used it.
However, please DO NOT consider this a security feature - check this out for more info.
Any bug in PHP (overflows, use-after-free and similar) will allow a potential attacker to tamper with the process memory and fix the function handlers to point to the correct function handlers which are still in memory - this results into re-enabling the disabled functions.
Always separate in shared hosting environments. See my answer to another similar question.
分享
