What threat model does disable_functions assume in PHP?

74 views Asked by At

disable_functions allows to disable certain functions in PHP that are deemed "dangerous". However, I’m finding it difficult to grasp what kind of threat model such a feature assumes.

If you disable certain functions to protect against your own application code, then this is at best a duct-tape solution to monkey-patch a poorly written codebase.

If, on the other hand, you’re using disable_functions to limit the extent of an RCE attack, then this is a pointless endeavour because in a lot of cases your data can be exfiltrated using "simple" functions not present in this blacklist.

It seems to me that defining such a blacklist only provides a false sense of security. If an RCE attack is successful, then your execution context is already breached and blacklisting certain functions feels like a losing battle.

Are there any real security benefits to disable_functions that I’m missing?

1

There are 1 answers

2
vodevel On BEST ANSWER

Here are possible use cases:

  1. Configuration of shared hosting to protect against the execution of arbitrary operating system commands, manipulation of file paths, etc. Example: exec, shell_exec, passthru, popen, link. Or temporary blocking, for example, of the mail function, when its use violated the permitted behavior algorithms.

  2. To simplify code control in organizations, when it is easier to prohibit the use of functions instead of monitoring them (or writing automatic rules for this), and then spend time rewriting them in the code.

  3. To satisfy some security compliance (PCI DSS, SOX, HIPAA, ...). Where the more arguments in favor of your security you have, the easier it is to get the desired status.

  4. Perhaps someone likes to prohibit themselves from using something. Freedom in all its forms, you know ;)