diff options
author | Andrey Andreev <narf@bofh.bg> | 2012-11-07 13:23:29 +0100 |
---|---|---|
committer | Andrey Andreev <narf@bofh.bg> | 2012-11-07 13:23:29 +0100 |
commit | e9d2dc85b9cb255aae235635576972e4b7dbd5a8 (patch) | |
tree | 139d0ecbef12a87fabb34c64bc77e4d0e2670176 /system/core/Common.php | |
parent | 17e11cdf1c6ff23f00c3deb2a39a40ffeb446f5c (diff) |
Added function_usable() to common functions
It is now used to check whether dangerous functions like eval() and exec() are available.
It appears that the Suhosin extension (which is becoming popular) terminates script
execution instead of returning e.g. FALSE when it has a function blacklisted.
function_exists() checks are insufficient and our only option is to check the ini
settings here.
Filed an issue here: https://github.com/stefanesser/suhosin/issues/18
... hopefully we'll be able to deal with this in a more elegant way in the future.
(this commit supersedes PR #1809)
Diffstat (limited to 'system/core/Common.php')
-rw-r--r-- | system/core/Common.php | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/system/core/Common.php b/system/core/Common.php index 3b7ea6ad4..aea5f1808 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -651,5 +651,52 @@ if ( ! function_exists('_stringify_attributes')) } } +// ------------------------------------------------------------------------ + +if ( ! function_exists('function_usable')) +{ + /** + * Function usable + * + * Executes a function_exists() check, and if the Suhosin PHP + * extension is loaded - checks whether the function that is + * checked might be disabled in there as well. + * + * This is useful as function_exists() will return FALSE for + * functions disabled via the *disable_functions* php.ini + * setting, but not for *suhosin.executor.func.blacklist* and + * *suhosin.executor.disable_eval*. These settings will just + * terminate script execution if a disabled function is executed. + * + * @link http://www.hardened-php.net/suhosin/ + * @param string $function_name Function to check for + * @return bool TRUE if the function exists and is safe to call, + * FALSE otherwise. + */ + function function_usable($function_name) + { + static $_suhosin_func_blacklist; + + if (function_exists($function_name)) + { + if ( ! isset($_suhosin_func_blacklist)) + { + $_suhosin_func_blacklist = extension_loaded('suhosin') + ? array() + : explode(',', trim(@ini_get('suhosin.executor.func.blacklist'))); + + if ( ! in_array('eval', $_suhosin_func_blacklist, TRUE) && @ini_get('suhosin.executor.disable_eval')) + { + $_suhosin_func_blacklist[] = 'eval'; + } + } + + return in_array($function_name, $_suhosin_func_blacklist, TRUE); + } + + return FALSE; + } +} + /* End of file Common.php */ /* Location: ./system/core/Common.php */
\ No newline at end of file |