Suhosin and disable eval function

Question

I have installed Suhosin on my dedicated CentOS server. centos6.7+php5.4.41+suhosin0.9.36

I would like to enable Suhosin's disable eval function. I went through the documentation and from what I understood, the best scenario was to add this in php.ini:

[suhosin]
suhosin.executor.eval.blacklist= phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown

but it will not prevent eval from executing phpinfo(),<?php eval(phpinfo());?>.

Really hoping someone can point out my mistake.

Answer 1

Your example executes phpinfo(), then tries to evaluate the output. Given your configuration the following example will be blocked by suhosin:

eval("phpinfo();");

Please consider using whitelisting as opposed to blacklisting, if applicable. From a security point of view it is always best to allow a limited set of functions rather than guess all the bad functions.

Also note, that eval itself is not a function and cannot be blocked by disable_functions and friends. Suhosin provides suhosin.executor.disable_eval for that purpose.

Answer 2

Open the php.ini file and look for disable_functions. Write/Enlist the functions which you want to disable. For example: disable_functions=passthru,exec,system,popen,eval