disable_functions doesn't work?

[kenw232]

I have a virtualhost with disable_functions defined as:

<VirtualHost x.x.x.x>

php_admin_value disable_functions system,passthru,exec,popen,proc_close,proc_open,shell_exec

</VirtualHost>

 

But this PHP code still works:

<html>

<?

$sCMD = `/bin/cat /tmp/test.txt`;

echo $sCMD;

?>

</html>

 

The contents of test.txt is still read and echoed out. Am I missing something?

 

I'm running PHP 5.3.16 on Linux 2.4.

[DavidAM]

Is PHP being run as a loaded module or as CGI? As I understand it, settings in the Apache config files (including .htaccess) only work when PHP is being run as a module. Otherwise, you have to put the settings in the php.ini file.

[kicken]

disable_functions string

This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode.

 

Only internal functions can be disabled using this directive. User-defined functions are unaffected.

 

This directive must be set in php.ini For example, you cannot set this in httpd.conf.

 

[kenw232]

This directive must be set in php.ini For example, you cannot set this in httpd.conf.

 

Thanks. I should read more. But this means its server wide, I cannot disable some functions for some Virtualhosts and not others correct? Doesn't that make it unrealistic?

[kenw232]

I kind of found out what to do here:

http://www.webhostingtalk.com/showthread.php?t=623944