- Messages
- 2,928
- Reaction score
- 118
- Points
- 63
As I was looking through my phpinfo() I noticed a few strange entries in the suhoshin.func.blacklist. I have the Advanced (v3) config of PHP:
Granted, I probably won't use any of them (since they are either aliases, doable via other means, or just add functionality I don't need), I just found it odd that they were in the blacklist while their counterparts weren't. As such, perhaps they should be removed from the blacklist.
Also, a few functions (proc_open, virtual, perhaps others) are listed twice, which is probably a bit unnecessary.
So if you condense the blacklist by removing those aliases/redundant entries, nothing should change security-wise, but the blacklist would then be easier to browse through to see exactly what is disabled instead of being a long, overflowing list.
- diskfreespace -- simply an alias for disk_free_space(), which is not disabled in v3.
- ini_alter -- an alias for ini_set(), which is also not disabled in v3.
- mb_send_mail -- mail() wrapper used to send encoded mail. mail() is not disabled in v3
- posix_getcwd -- the same output can be achieved by using dirname() and/or realpath(), both of which are enabled
Granted, I probably won't use any of them (since they are either aliases, doable via other means, or just add functionality I don't need), I just found it odd that they were in the blacklist while their counterparts weren't. As such, perhaps they should be removed from the blacklist.
Also, a few functions (proc_open, virtual, perhaps others) are listed twice, which is probably a bit unnecessary.
So if you condense the blacklist by removing those aliases/redundant entries, nothing should change security-wise, but the blacklist would then be easier to browse through to see exactly what is disabled instead of being a long, overflowing list.