Hey guys,

Actually I'm still looking for a way to block for example the exec()
function without throwing an error!
Since there seems to be no way to do this, without hacking the code of
php, it seems like that is what I'll have to do...

Do you people think it would be a good way to just look for where the
exec() function is defined in the source and then just empty it out an
let it return true or whatever value it normaly returns?
Or would there be a better, different way?

And could some of you devs, just give me a short hint where to look for
example for the exec() function in the source, since I never looked into
php?

Regards,
Samy

Samuel Vogel wrote:
> Hey guys,
>
> Actually I'm still looking for a way to block for example the exec()
> function without throwing an error!
> Since there seems to be no way to do this, without hacking the code of
> php, it seems like that is what I'll have to do...

Why do you have to do this and not your customers or their developers?
Seems like you're going to have to run a cron script or something to
check once a week in case someone uploads a new file with this stuff in it.

> Do you people think it would be a good way to just look for where the
> exec() function is defined in the source and then just empty it out an
> let it return true or whatever value it normaly returns?

Well it returns a string (see
http://www.php.net/manual/en/function.exec.php) so it's hard to give a
"default" answer because it depends on the context.

> And could some of you devs, just give me a short hint where to look for
> example for the exec() function in the source, since I never looked into
> php?

If you're on a *nix box, you could do something like:

grep -nri '[^_]exec(' /path/to/folder/

and it will show you the files & line numbers you need to look at.

The [^_] means it skips pg_exec, curl_exec, stuff like that.

But you'll have to run a separate check for shell_exec (unless you want
to play with the regex).

If you're on windows, use the filters in the search area to do it.

--
Postgresql & php tutorials
http://www.designmagick.com/

i dont know why you wouldnt just use the
disable_functions directive in php.ini

disable_functions = "exec"

this will indeed raise an error, well a warning rather, from my test
[12-Sep-2007 19:22:24] PHP Warning: exec() has been disabled for security
reasons

but i always suppress warnings and errors to the browser in production
anyway, which is good practice. i dont see a problem letting the warnings
spit out in preproduction either, then
developers would get the hint..

-nathan
in /home/nathan/testDisable.php on line 2
On 9/12/07, Samuel Vogel <samy-delux@gmx.de> wrote:
>
> Hey guys,
>
> Actually I'm still looking for a way to block for example the exec()
> function without throwing an error!
> Since there seems to be no way to do this, without hacking the code of
> php, it seems like that is what I'll have to do...
>
> Do you people think it would be a good way to just look for where the
> exec() function is defined in the source and then just empty it out an
> let it return true or whatever value it normaly returns?
> Or would there be a better, different way?
>
> And could some of you devs, just give me a short hint where to look for
> example for the exec() function in the source, since I never looked into
> php?
>
> Regards,
> Samy
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

>On 9/12/07, Samuel Vogel <samy-delux@gmx.de> wrote:
> >
> > Hey guys,
> >
> > Actually I'm still looking for a way to block for example the exec()
> > function without throwing an error!

>From: "Nathan Nobbe" <quickshiftin@gmail.com>
>i dont know why you wouldnt just use the
>disable_functions directive in php.ini
>
>disable_functions = "exec"

I was going to mentionn
http://php.he.net/manual/en/features....functions.php and ask you if
you need any of those functions, but I prefer Nathan's answer. You may be
able to set the error reporting in conjunction with disable_functions and be
done.

__________________________________________________ _______________
Can you find the hidden words? Take a break and play Seekadoo!
http://club.live.com/seekadoo.aspx?i...tmailtextlink1

> Instruct ICC schrieb:
> > I was going to mention
> > http://php.he.net/manual/en/features....functions.php and ask
> > you if you need any of those functions, but I prefer Nathan's answer.
> > You may be able to set the error reporting in conjunction with
> > disable_functions and be done.

> Date: Thu, 13 Sep 2007 20:30:52 +0200
> From: samy-delux@gmx.de
> Hey,
>
> Thanks for the replies!
> safe-mode is not an option unfortunately!
> But changing the Error reporting, is the first thing I wanted to do, but
> when I asked if this was possible on this list, somebody replied, that
> it this is not possible!
>
> Could you point me to a way, how I can achieve, that the "this function
> is disabled" error, without suppressing other error messages?
>
> Regards,
> Samy

I just tested what I had in mind. And it worked. When I added phpinfo to disable_functions in php.ini and attempted to use it in a script, it was displayed as a warning. So I modifed error_reporting in php.ini to not show warnings and I believe I achieved the results you want. However, in a production environment, I think you should disable all error reporting to not tip your hand to a hacker. I haven't verified this today, but I remember a situation where the PHP script would not display errors (or notices or warnings or ... whatever messages) in the web page, yet the message would stillappeared in the Apache logs.

I just changed php.ini to:
disable_functions = "phpinfo"
....
error_reporting = E_ALL & ~E_WARNING

http://php.net/manual/en/features.safe-mode.php
http://php.net/manual/en/function.error-reporting.php
http://php.net/manual/en/features.sa....functions.php

Ahh, read this in php.ini:
; Print out errors (as a part of the output). For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below). Keeping display_errors enabled on a production web site
; may reveal security information to end users, such as file paths on your Web
; server, your database schema or other information.


Also Samy,
I saw something like this in someone's signature line on this list:


Because it destroys the context or flow of the discussion.

>Why should I not "TOP-POST"?

__________________________________________________ _______________
Can you find the hidden words? Take a break and play Seekadoo!
http://club.live.com/seekadoo.aspx?i...wlmailtextlink

2007. 09. 14, péntek keltezéssel 08.31-kor Instruct ICC ezt Ãrta:
> > Instruct ICC schrieb:
> > > I was going to mention
> > > http://php.he.net/manual/en/features....functions.php and ask
> > > you if you need any of those functions, but I prefer Nathan's answer.
> > > You may be able to set the error reporting in conjunction with
> > > disable_functions and be done.
>
> > Date: Thu, 13 Sep 2007 20:30:52 +0200
> > From: samy-delux@gmx.de
> > Hey,
> >
> > Thanks for the replies!
> > safe-mode is not an option unfortunately!
> > But changing the Error reporting, is the first thing I wanted to do, but
> > when I asked if this was possible on this list, somebody replied, that
> > it this is not possible!
> >
> > Could you point me to a way, how I can achieve, that the "this function
> > is disabled" error, without suppressing other error messages?
> >
> > Regards,
> > Samy
>
> I just tested what I had in mind. And it worked. When I added phpinfo to disable_functions in php.ini and attempted to use it in a script, it was displayed as a warning. So I modifed error_reporting in php.ini to not show warnings and I believe I achieved the results you want. However, in a production environment, I think you should disable all error reporting to not tip your hand to a hacker. I haven't verified this today, but I remember a situation where the PHP script would not display errors (or notices or warnings or ... whatever messages) in the web page, yet the message would still appeared in the Apache logs.
>
> I just changed php.ini to:
> disable_functions = "phpinfo"
> ...
> error_reporting = E_ALL & ~E_WARNING

a better solution would be

error_reporting = E_ALL
display_errors = off
log_errors = on

this sends all error messages to the apache log, as you mentioned above.

see:
http://hu2.php.net/manual/en/ref.errorfunc.php
http://hu2.php.net/manual/en/ref.err...display-errors

greets
Zoltán Németh

>
> http://php.net/manual/en/features.safe-mode.php
> http://php.net/manual/en/function.error-reporting.php
> http://php.net/manual/en/features.sa....functions.php
>
> Ahh, read this in php.ini:
> ; Print out errors (as a part of the output). For production web sites,
> ; you're strongly encouraged to turn this feature off, and use error logging
> ; instead (see below). Keeping display_errors enabled on a production web site
> ; may reveal security information to end users, such as file paths on your Web
> ; server, your database schema or other information.
>
>
> Also Samy,
> I saw something like this in someone's signature line on this list:
>
>
> Because it destroys the context or flow of the discussion.
>
> >Why should I not "TOP-POST"?
>
> __________________________________________________ _______________
> Can you find the hidden words? Take a break and play Seekadoo!
> http://club.live.com/seekadoo.aspx?i...wlmailtextlink

Actually I can not do that.
The point of my question was, that I'm running kilu.de, a German
Freehosting service. But many of our users can not cope with the error
messages, occurring from the disabled_functions!

I can't log to the error log, because the errors need to be displayed to
our users.

Regards,
Samy

> a better solution would be
>
> error_reporting = E_ALL
> display_errors = off
> log_errors = on
>
> this sends all error messages to the apache log, as you mentioned above.
>
> see:
> http://hu2.php.net/manual/en/ref.errorfunc.php
> http://hu2.php.net/manual/en/ref.err...display-errors
>
> greets
> Zoltán Németh
>

shared hosting environments are interesting; ive sometimes wondered how i
might configure the environment
in such a scenario.

after revoking access to the exec() command you could allow the errors to be
sent to the browser
and recommend to users override the stock error handler as mentioned before
to suppress output of particular
error types (such as warnings [from calling exec() for example]).
that is a cumbersome solution at best.

it would be nice if there was a way to redirect output to an error log that
was dynamically selected based upon
the particular user in the shared hosing environment. that way the clients
could easily decide if they wanted the
logging to go to the browser or to a file, and each client would have an
isolated file for error logging.

im not sure on the implementation details, but i believe youd do good to
research .htaccess files and php.ini
(assuming youre running apache as the webserver).
here<http://www.karakas-online.de/EN-Book/change-php-parameters.html>is
the first article that came up in a google search.
thats how 1and1 does it, via .htaccess

-nathan


On 9/14/07, Samuel Vogel <samy-delux@gmx.de> wrote:
>
> Actually I can not do that.
> The point of my question was, that I'm running kilu.de, a German
> Freehosting service. But many of our users can not cope with the error
> messages, occurring from the disabled_functions!
>
> I can't log to the error log, because the errors need to be displayed to
> our users.
>
> Regards,
> Samy
>
> > a better solution would be
> >
> > error_reporting = E_ALL
> > display_errors = off
> > log_errors = on
> >
> > this sends all error messages to the apache log, as you mentioned above..
> >
> > see:
> > http://hu2.php.net/manual/en/ref.errorfunc.php
> > http://hu2.php.net/manual/en/ref.err...display-errors
> >
> > greets
> > Zoltán Németh
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>