by calvinmorrison 7 hours ago

That's a nice find. People rely a little heavily on this, and it only says in the manual "This directive allows certain functions to be disabled." but its not a security sandbox.

I think PHP has in the past explicitly stated its not a security feature.

There have been a few issues over the years with this.

Anyway - good OS security is required anytime you run software!

heres one from 6 years ago https://bugs.php.net/bug.php?id=76047

kadoban 7 hours ago | [-3 more]

> I think PHP has in the past explicitly stated its not a security feature.

I'm struggling to think what it's for then?

turbert 7 hours ago | [-0 more]

likely intended more as a lint than a security feature, it's not unusual to want to exclude commonly misused features from your code and any libraries you use.

Knowing the mess that is the php standard library, I imagine many applications would want to just straight up ban the really bad parts.

duskwuff 7 hours ago | [-0 more]

> I'm struggling to think what it's for then?

Placating some users - mainly shared web hosting providers - who still think that disabling functions like system() and exec() is an effective security measure.

calvinmorrison 7 hours ago | [-0 more]

a lazy security feature that stops 90% of problems?