Bug #62397 [Com]: disable_functions = eval does not work
Edit report at https://bugs.php.net/bug.php?id=62397&edit=1 ID: 62397 Comment by: krzf83 at gmail dot com Reported by:spamik at yum dot pl Summary:disable_functions = eval does not work Status: Not a bug Type: Bug Package:*General Issues PHP Version:5.3.14 Block user comment: N Private report: N New Comment: treat it as feature request if it helps you sleep at night. However this issue is critical in face of current mailicous code boom. Eval (by base64_encode etc) does not allow for any scanning and detection. This funcionality of php had begun its downfall really. People are migrating to other languages just because infections there are rare and code cannot be just like that obfucated! Previous Comments: [2012-06-24 03:56:32] krzf83 at gmail dot com "eval is not a function but language construct" - that might be the reason why disable_functions don't work on it now but that does not mean it could not or should not. I would not dismiss this isssue so easily. Eval problem caused that php is currently (almost) only one language is so often infected. It allows for attacker to hide code, purpose, use ecodings (like base64) to diminish any hope of detection by searching for common traits (like antivirus software does). Eval is a functionality of php and could be disabled if apropriate modifications to php source code were made. [2012-06-23 12:52:55] bobwei9 at hotmail dot com Why can't you simply add a new core directive for disabling this language construct? [2012-06-23 12:29:45] larue...@php.net as I said, eval is not a *function*, so disable_*functions* has no effect to eval.. [2012-06-23 10:56:33] anon at anon dot anon A reason why a bug exists is not a reason why it is not a bug. [2012-06-23 09:14:58] larue...@php.net eval is not a function, if you want to disable it, you may refer to Suhosin thanks The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=62397 -- Edit this bug report at https://bugs.php.net/bug.php?id=62397&edit=1
Bug #62397 [Com]: disable_functions = eval does not work
Edit report at https://bugs.php.net/bug.php?id=62397&edit=1 ID: 62397 Comment by: krzf83 at gmail dot com Reported by:spamik at yum dot pl Summary:disable_functions = eval does not work Status: Not a bug Type: Bug Package:*General Issues PHP Version:5.3.14 Block user comment: N Private report: N New Comment: "eval is not a function but language construct" - that might be the reason why disable_functions don't work on it now but that does not mean it could not or should not. I would not dismiss this isssue so easily. Eval problem caused that php is currently (almost) only one language is so often infected. It allows for attacker to hide code, purpose, use ecodings (like base64) to diminish any hope of detection by searching for common traits (like antivirus software does). Eval is a functionality of php and could be disabled if apropriate modifications to php source code were made. Previous Comments: [2012-06-23 12:52:55] bobwei9 at hotmail dot com Why can't you simply add a new core directive for disabling this language construct? [2012-06-23 12:29:45] larue...@php.net as I said, eval is not a *function*, so disable_*functions* has no effect to eval.. [2012-06-23 10:56:33] anon at anon dot anon A reason why a bug exists is not a reason why it is not a bug. [2012-06-23 09:14:58] larue...@php.net eval is not a function, if you want to disable it, you may refer to Suhosin thanks [2012-06-23 07:28:04] reeze dot xia at gmail dot com eval is not a function but language construct http://php.net/eval so it cannot be disabled by adding it to disable_functions The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=62397 -- Edit this bug report at https://bugs.php.net/bug.php?id=62397&edit=1
Bug #62397 [Com]: disable_functions = eval does not work
Edit report at https://bugs.php.net/bug.php?id=62397&edit=1 ID: 62397 Comment by: bobwei9 at hotmail dot com Reported by:spamik at yum dot pl Summary:disable_functions = eval does not work Status: Not a bug Type: Bug Package:*General Issues PHP Version:5.3.14 Block user comment: N Private report: N New Comment: Why can't you simply add a new core directive for disabling this language construct? Previous Comments: [2012-06-23 12:29:45] larue...@php.net as I said, eval is not a *function*, so disable_*functions* has no effect to eval.. [2012-06-23 10:56:33] anon at anon dot anon A reason why a bug exists is not a reason why it is not a bug. [2012-06-23 09:14:58] larue...@php.net eval is not a function, if you want to disable it, you may refer to Suhosin thanks [2012-06-23 07:28:04] reeze dot xia at gmail dot com eval is not a function but language construct http://php.net/eval so it cannot be disabled by adding it to disable_functions [2012-06-23 00:24:50] spamik at yum dot pl Description: disable_functions = eval does not work. eval is often used to obfucate code by malicious viruses. I see no reason why blocking access to eval() is not doable. -- Edit this bug report at https://bugs.php.net/bug.php?id=62397&edit=1
Bug #62397 [Com]: disable_functions = eval does not work
Edit report at https://bugs.php.net/bug.php?id=62397&edit=1 ID: 62397 Comment by: anon at anon dot anon Reported by:spamik at yum dot pl Summary:disable_functions = eval does not work Status: Not a bug Type: Bug Package:*General Issues PHP Version:5.3.14 Block user comment: N Private report: N New Comment: A reason why a bug exists is not a reason why it is not a bug. Previous Comments: [2012-06-23 09:14:58] larue...@php.net eval is not a function, if you want to disable it, you may refer to Suhosin thanks [2012-06-23 07:28:04] reeze dot xia at gmail dot com eval is not a function but language construct http://php.net/eval so it cannot be disabled by adding it to disable_functions [2012-06-23 00:24:50] spamik at yum dot pl Description: disable_functions = eval does not work. eval is often used to obfucate code by malicious viruses. I see no reason why blocking access to eval() is not doable. -- Edit this bug report at https://bugs.php.net/bug.php?id=62397&edit=1
Bug #62397 [Com]: disable_functions = eval does not work
Edit report at https://bugs.php.net/bug.php?id=62397&edit=1 ID: 62397 Comment by: reeze dot xia at gmail dot com Reported by:spamik at yum dot pl Summary:disable_functions = eval does not work Status: Open Type: Bug Package:*General Issues PHP Version:5.3.14 Block user comment: N Private report: N New Comment: eval is not a function but language construct http://php.net/eval so it cannot be disabled by adding it to disable_functions Previous Comments: [2012-06-23 00:24:50] spamik at yum dot pl Description: disable_functions = eval does not work. eval is often used to obfucate code by malicious viruses. I see no reason why blocking access to eval() is not doable. -- Edit this bug report at https://bugs.php.net/bug.php?id=62397&edit=1