There was some discussion regarding opcache and PHP-FPM in the Enhanced FPM support feature request. Comments for that feature request is now closed (admittedly the discussion of opcaching was probably a bit off topic).
Discussion about opcache and PHP-FPM brought up disclosure information in using Zend Opcache. None of that really seemed to get resolved and I'm not sure if it's really cPanel's place to resolve it, but I'm just wondering if there is a consensus on any of this.
Someone please correct me if I am wrong.
Am I right in saying that the only information disclosure in regards to Zend Opcache is that filenames and paths can be disclosed across different VirtualHosts?
If opcache.use_cwd is enabled, then information (i.e. PHP code, potentially database log in information) in duplicate filenames is not cached and shared across multiple VirtualHosts, correct? opcache.use_cwd is enabled by default.
By using opcache_get_status() filenames and paths to other cached files can be disclosed across multiple VirtualHosts. But if PHP-FPM is set up to use a chroot or if open_basedir is enabled and system()-like functions are disabled, then information in those files cannot be disclosed. Correct?
Would adding opcache_get_status() to the disable_functions list, basically stop this filename disclosure?
In the feature request discussion, I proposed using Xcache as an alternative to Zend Opcache for PHP 5.6 (and I suppose PHP 5.5). Xcache is not compatible with PHP 7 or PHP 7.1, so it's not an option for those. Xcache presents two configuration variables xcache.var_namespace_mode and xcache.var_namespace which should (I think?) resolve issues with information disclosure between multiple VirtualHosts (or users). Ideally, something similar to this would be added to Zend Opcache. Adding this functionality to Zend Opcache would seem to fall on the shoulders of PHP and not on cPanel. But is the above workaround enough of a solution to stop any harmful information disclosure?
Discussion about opcache and PHP-FPM brought up disclosure information in using Zend Opcache. None of that really seemed to get resolved and I'm not sure if it's really cPanel's place to resolve it, but I'm just wondering if there is a consensus on any of this.
Someone please correct me if I am wrong.
Am I right in saying that the only information disclosure in regards to Zend Opcache is that filenames and paths can be disclosed across different VirtualHosts?
If opcache.use_cwd is enabled, then information (i.e. PHP code, potentially database log in information) in duplicate filenames is not cached and shared across multiple VirtualHosts, correct? opcache.use_cwd is enabled by default.
By using opcache_get_status() filenames and paths to other cached files can be disclosed across multiple VirtualHosts. But if PHP-FPM is set up to use a chroot or if open_basedir is enabled and system()-like functions are disabled, then information in those files cannot be disclosed. Correct?
Would adding opcache_get_status() to the disable_functions list, basically stop this filename disclosure?
In the feature request discussion, I proposed using Xcache as an alternative to Zend Opcache for PHP 5.6 (and I suppose PHP 5.5). Xcache is not compatible with PHP 7 or PHP 7.1, so it's not an option for those. Xcache presents two configuration variables xcache.var_namespace_mode and xcache.var_namespace which should (I think?) resolve issues with information disclosure between multiple VirtualHosts (or users). Ideally, something similar to this would be added to Zend Opcache. Adding this functionality to Zend Opcache would seem to fall on the shoulders of PHP and not on cPanel. But is the above workaround enough of a solution to stop any harmful information disclosure?