4

I have PHP shell and I want user to be able to call functions directly. I got it done. But then I found out that user can call even pre-defined functions like unlink and more. I think this is security hole so I want to restrict callable functions to only those which I have defined, e.g.:calling unlink wont work.

apaderno
  • 28,547
  • 16
  • 75
  • 90
Anagmate
  • 1,825
  • 3
  • 16
  • 15

2 Answers2

0

You can get the list of define functions with 

get_defined_functions();

It will return an assoc array with user defined and internal functions. You can use that information to decide whether a functions is user defined or internal. (manual)

hek2mgl
  • 152,036
  • 28
  • 249
  • 266
  • And how would he restrict non-user-functions from being executed by `php`? – Danny Beckett Dec 07 '13 at 23:32
  • Can say only when I know his code. Looks like OP need to wrap function calls – hek2mgl Dec 07 '13 at 23:33
  • His code is irrelevant. He's using `php`, e.g. the PHP shell. – Danny Beckett Dec 07 '13 at 23:33
  • Do you mean `php -a`? I don't see this information in the question – hek2mgl Dec 07 '13 at 23:34
  • Yes. The question says "I have PHP shell". – Danny Beckett Dec 07 '13 at 23:35
  • A php cli application isn't a *php shell*. If he has a php cli application then he could create a whitelist using information returned by `get_defined_functions()['user']`.. So it should be useful. isn't it? – hek2mgl Dec 07 '13 at 23:38
  • The PHP [manual](http://php.net/manual/en/features.commandline.interactive.php) defines `php -a` as an "interactive shell". I'm curious myself now as to whether this could be done without a wrapper program. Let's see if the OP responds with more info! – Danny Beckett Dec 07 '13 at 23:40
0

You can disable functions using the disable_functions INI setting (in your php.ini file).

For example:

disable_functions=unlink,fopen,file_get_contents [and so on...]
Sverri M. Olsen
  • 13,055
  • 3
  • 36
  • 52