|
Thanks for this. Quick questions:
If you include "zend" in the disable list, won't this mean that zend could no longer be used?
Same question for the above regarding using cURL and disabling "curl_exec"?
NOTE: "ini_restore" is in your list twice, as is "popen", and "exec", and "passthru", and "proc_open", and "symlink" and probably a few others. (popen was in there at least three times).
Also, I have heard that the following should also be in the disable list:
show_source, phpinfo, allow_url_fopen
Here's this finished list, with a few things taken out (that may possibly disrupted legit scripts), and the few things added in from the list just above:
disable_functions = phpinfo, allow_url_fopen, exec, popen, pclose, ini_set, php_eval, safe_dir, g lob, root, ftok, posix_access, egy_perl, symlink, set_time_limit, ini_restore, shell_exec, passthru, ini_alter, dl, openlog, syslog, readlink, link, leak, escapeshellcmd, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, pcntl_exec, wscript, curl_exec, apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_get_all, inject_code, mysql_pconnect, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_terminate, system, xmlrpc_entity_decode
REMOVED:
zend
eval
error_log
curl_exec
realpath
chdir
and most, or all of the duplicates.
ADDED:
show_source
phpinfo
allow_url_fopen
Comments? Please correct me if I'm wrong with any of this. Thanks.
Last edited by jols; 08-06-2009 at 03:34 AM.
|