Suhosin and disable eval function

Question

I have installed Suhosin on my dedicated CentOS server. centos6.7+php5.4.41+suhosin0.9.36

I would like to enable Suhosin's disable eval function. I went through the documentation and from what I understood, the best scenario was to add this in php.ini:

[suhosin]
suhosin.executor.eval.blacklist= phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown

but it will not prevent eval from executing phpinfo(),<?php eval(phpinfo());?>.

Really hoping someone can point out my mistake.

score 1 · Accepted Answer · answered May 11 '16 at 07:11

Your example executes phpinfo(), then tries to evaluate the output. Given your configuration the following example will be blocked by suhosin:

eval("phpinfo();");

Please consider using whitelisting as opposed to blacklisting, if applicable. From a security point of view it is always best to allow a limited set of functions rather than guess all the bad functions.

Also note, that eval itself is not a function and cannot be blocked by disable_functions and friends. Suhosin provides suhosin.executor.disable_eval for that purpose.

score 0 · Answer 2 · edited May 06 '16 at 03:37

0

Open the php.ini file and look for disable_functions. Write/Enlist the functions which you want to disable. For example: disable_functions=passthru,exec,system,popen,eval

edited May 06 '16 at 03:37

rhavendc

985
8
21

answered May 06 '16 at 02:22

xavier007

1

i want to disable eval functions,do not disable functions – jf2000 May 06 '16 at 02:59

Suhosin and disable eval function

2 Answers2