php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
f4e2e91d4b6d28448104500819b68edf58bd263c
archived-php-src/main/php_globals.h
Gina Peter Banyard f4e2e91d4b core: Remove disable_classes INI setting 
RFC: https://wiki.php.net/rfc/deprecations_php_8_5#remove_disable_classes_ini_setting

This took longer to merge than expected but the initial motivation from 2 years ago still applied:

As described in the email to the PHP internals list [1] this feature is fundamentally broken and pointless.

Only internal classes can be disable which brings the following observation. On a minimal build of PHP, with only the mandatory extensions enabled, there are 148 classes/interfaces/traits defined. [2]

Other than the SPL ones (and even then), disabling any of these classes will cause issues within the engine.
Moreover, the SPL ones are not a security concern.

Therefore, any other class that can be disabled must come from an extension that can be disabled altogether. And "disabling" a class from an extension without disabling said extension will render it useless anyway.

If a hosting provided is concerned about an extension, then it should not enable it in the first place. Not break it ad hoc.

Considering the above, I cannot see how this functionality was ever useful.

This is in stark contrast to the disable_functions INI setting, which can be used to selectively remove functionality of an extension without breaking it overall.

What makes this setting particularly broken is that it does not unregister the class, it only overwrites the create CE handler to emit a warning and purge the properties and function hashtables. This leads to various use after free, segfaults, and broken expectations for the engine and extensions which define said classes. On top of that, it is possible to actually instantiate such a class (and even classes which actually disallow this like ext/imap) in userland, and pass it to function that are typed against said class without raising a TypeError. However, when trying to do anything with said object stuff is going to explode in countless ways.

[1] https://news-web.php.net/php.internals/120896
[2] https://gist.github.com/Girgias/63d55ba1e50b580412b004046daed02b
2025-08-25 21:16:55 +01:00

179 lines
3.9 KiB
C
Raw Blame History

/*
+----------------------------------------------------------------------+
| Copyright (c) The PHP Group |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
| available through the world-wide-web at the following url: |
| https://www.php.net/license/3_01.txt |
| If you did not receive a copy of the PHP license and are unable to |
| obtain it through the world-wide-web, please send a note to |
| license@php.net so we can mail you a copy immediately. |
+----------------------------------------------------------------------+
| Author: Zeev Suraski <zeev@php.net> |
+----------------------------------------------------------------------+
*/
#ifndef PHP_GLOBALS_H
#define PHP_GLOBALS_H
#include "zend_globals.h"
#include <stdint.h>
typedef struct _php_core_globals php_core_globals;
#ifdef ZTS
# define PG(v) ZEND_TSRMG_FAST(core_globals_offset, php_core_globals *, v)
extern PHPAPI int core_globals_id;
extern PHPAPI size_t core_globals_offset;
#else
# define PG(v) (core_globals.v)
extern ZEND_API struct _php_core_globals core_globals;
#endif
/* Error display modes */
#define PHP_DISPLAY_ERRORS_STDOUT 1
#define PHP_DISPLAY_ERRORS_STDERR 2
/* Track vars */
#define TRACK_VARS_POST 0
#define TRACK_VARS_GET 1
#define TRACK_VARS_COOKIE 2
#define TRACK_VARS_SERVER 3
#define TRACK_VARS_ENV 4
#define TRACK_VARS_FILES 5
#define TRACK_VARS_REQUEST 6
struct _php_tick_function_entry;
typedef struct _arg_separators {
zend_string *output;
zend_string *input;
} arg_separators;
struct _php_core_globals {
zend_long output_buffering;
bool implicit_flush;
bool enable_dl;
uint8_t display_errors;
bool display_startup_errors;
bool log_errors;
bool ignore_repeated_errors;
bool ignore_repeated_source;
bool report_memleaks;
char *output_handler;
char *unserialize_callback_func;
zend_long serialize_precision;
zend_long memory_limit;
zend_long max_memory_limit;
zend_long max_input_time;
char *error_log;
char *doc_root;
char *user_dir;
char *include_path;
char *open_basedir;
bool open_basedir_modified;
char *extension_dir;
char *php_binary;
char *sys_temp_dir;
char *upload_tmp_dir;
zend_long upload_max_filesize;
char *error_append_string;
char *error_prepend_string;
char *auto_prepend_file;
char *auto_append_file;
char *input_encoding;
char *internal_encoding;
char *output_encoding;
arg_separators arg_separator;
char *variables_order;
HashTable rfc1867_protected_variables;
short connection_status;
bool ignore_user_abort;
unsigned char header_is_being_sent;
zend_llist tick_functions;
zval http_globals[6];
bool expose_php;
bool register_argc_argv;
bool auto_globals_jit;
bool html_errors;
bool xmlrpc_errors;
char *docref_root;
char *docref_ext;
zend_long xmlrpc_error_number;
bool activated_auto_globals[8];
bool modules_activated;
bool file_uploads;
bool during_request_startup;
bool allow_url_fopen;
bool enable_post_data_reading;
bool report_zend_debug;
int last_error_type;
int last_error_lineno;
zend_string *last_error_message;
zend_string *last_error_file;
char *php_sys_temp_dir;
zend_long max_input_nesting_level;
zend_long max_input_vars;
char *user_ini_filename;
zend_long user_ini_cache_ttl;
char *request_order;
char *mail_log;
bool mail_x_header;
bool mail_mixed_lf_and_crlf;
bool in_error_log;
bool allow_url_include;
#ifdef PHP_WIN32
bool com_initialized;
#endif
bool in_user_include;
#ifdef PHP_WIN32
bool windows_show_crt_warning;
#endif
bool have_called_openlog;
zend_long syslog_facility;
char *syslog_ident;
zend_long syslog_filter;
zend_long error_log_mode;
};
#endif /* PHP_GLOBALS_H */
Reference in New Issue View Git Blame Copy Permalink