Enable extension loading from .user.ini when run as CGI. #145

Closed
wants to merge 1 commit into
from

6 participants

@ezyang

Functionality is not included for other SAPIs because they either do not
support .user.ini (e.g. CLI) or they serve multiple requests and thus
do not support dl() (e.g. FastCGI).

There is also a bugfix to invoke zlist_clean, to ensure extension_lists can be
reused for the second round of extension appliations (since the head and tail
pointers have garbage in them).

Signed-off-by: Edward Z. Yang ezyang@mit.edu

(Available for PHP 5.3 too on request.)

@ezyang ezyang Enable extension loading from .user.ini when run as CGI.
Functionality is not included for other SAPIs because they either do not
support .user.ini (e.g. CLI) or they serve multiple requests and thus
do not support dl() (e.g. FastCGI).

There is also a bugfix to invoke zlist_clean, to ensure extension_lists can be
reused for the second round of extension appliations (since the head and tail
pointers have garbage in them).

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
dad6f3d
@smalyshev

This may be a security issue as .user.ini may be placed in user-writable directories and thus allow loading arbitrary binary code, thus circumventing, for example, protection for the servers that disable exec(), etc. functions. While disabling such functions is not 100% secure, adding ability to run arbitrary binaries via config files may be very unpleasant surprise for such setups.

@ezyang

If you want, we can check for non-empty disable functions and disable this feature in that case. But there is no attack model where disabling functions is considered adequate against an attacker who knows how to create and deploy binaries to be loaded into PHP and executed.

@pierrejoye

This feature or possibility has been discussed on internals in the past. The conclusion that it is not desired to allow to load random extensions using .user.ini or at runtime in general in any other SAPI but CLI.

@ezyang

(is CLI a typo? I'm pretty sure we decided on CGI only)

@ezyang

Bump! (I'm happy to re-rebase this on the branch, but it looks like it got dropped...)

@lstrojny

@ezyang I would suggest moving this discussion to internals.

@johannes
php.net member

CLI was no typo - CLI is the only place where we want dl()-like functionality. Adding this to CGI causes a ton of security issues.

@johannes johannes closed this Jul 24, 2013
@mapthegod
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment