...
/Mastering Changes in Security Functions and Settings
Mastering Changes in Security Functions and Settings
Learn about the new security feature updates introduced in PHP 8.
Any changes to PHP security features are worth noting. Unfortunately, given the state of the world today, attacks on any web-facing code are a given. Accordingly, we address several changes to security-related PHP functions in PHP 8. The changed functions affected include the following:
assert()password_hash()crypt()
In addition, there was a change in how PHP 8 treats any functions defined in the php.ini file using the disable_functions directive. Let’s have a look at this directive to begin with.
Understanding changes in disabled functions handling
Web hosting companies often offer heavily discounted shared hosting packages. Once
a customer signs up, the IT staff at the hosting company creates an account on the shared server, assigns a disk quota to control disk space usage, and creates a virtual host definition on the web service. The problem such hosting companies face, however, is that allowing unrestricted access to PHP poses a security risk to both the shared hosting company as well as other users on the same server.
To address this issue, IT staff often assign a comma-separated list of functions to the php.ini directive, disable_functions. In so doing, any function on this list cannot be used in PHP code running on that server. Functions that typically end up on this list are those that allow operating system access, such as system() or shell_exec().
Only internal PHP functions can end up on this list. Internal functions are those included in the PHP core, as well as functions provided via extensions. User-defined functions are not affected by this directive.
Examining disabled functions’ handling differences
Note: Just because we can redefine the disabled function in PHP 8 does not mean that the original functionality has been restored!
We need to add this disable_functions=system line to the php.ini file using the following command to get a clear understanding of this concept.
echo "disable_functions=system">>/etc/php.ini
If we then attempt to use the system() function, the attempt fails in both ...