0

I'm just curious if there's a way to disable things like shell_exec() using the .htaccess file or something, not globally, but only for specific subdomains or directories (possibly disable fopen() on files above the subdir). It occurred to me that on one of my shared hosts where I'm sharing subdomain space with a friend he could use PHP to get a look at directories outside his own.

Perhaps I could use mod_rewrite and send any hit anywhere through a PHP script that disables certain things before forwarding the request to where it was going? Would this work, and would it incur a significant performance penalty?

Kevin
  • 7
  • 1
  • Your list of functions will need to be pretty big though. Related: http://stackoverflow.com/questions/3115559/exploitable-php-functions/3451100 and it won't stop me doing this: $y = str_replace('z', 'e', 'zxzc'); $y("malicious code"); – Cheekysoft Nov 15 '10 at 13:17

3 Answers3

1

You can do it programmatically:

ini_set('disable_functions', 'fopen,shell_exec');

or in .htaccess:

php_value disable_functions fopen,shell_exec

There shouldn't be any performance degradation. I doubt you'll be changing the settings repeatedly inside a for(), while() or foreach() loop.

bcosca
  • 17,371
  • 5
  • 40
  • 51
  • I'd suggest using `php_admin_value` instead of `php_value`, so that the parameters are not overrideable via an .htaccess. See: [configuration.changes.php](http://www.php.net/manual/en/configuration.changes.php) – lucaferrario Jul 01 '13 at 10:20
  • @lucaferrario Why would anyone in their right mind override something in that same file? – bcosca Dec 26 '13 at 23:45
  • A malicious software (attacked joomla or wordpress) could write a new .htaccess and override settings... Or simply, if you are a service provider, one of your customers could... – lucaferrario Dec 28 '13 at 14:58
0

You can do this with a .htaccess file:

http://www.askapache.com/php/custom-phpini-tips-and-tricks.html#m0-askapache12

helloandre
  • 10,541
  • 8
  • 47
  • 64
0

I believe those things need to be changed in the php.ini file. Some host allow you to have multiple php.ini files within the files structure. If you are on a shared hosting environment then you probably will have one php.ini file for all shared accounts. Host realize this is a problem so they allow you to have your own within your home directory for sub directory... check with your host.

Jason
  • 2,687
  • 3
  • 29
  • 40