Raise a setup fatal for 'disable_functions' or 'disable_classes'

Summary: Fixes T3709. PHP has two configuration options ('disable_functions', 'disable_classes') which allow functions and classes to be blacklisted at runtime. Since these break things in an unclear way, raise a setup fatal if they are set. We take a slightly more tailored approach to these in `phd` already, but I'd rather try just saying "no, this is bad" and see if we can get away with it. I suspect we can, and there's no legitimate reason to blacklist functions given that Phabricator must have access to, e.g., `proc_open()`. Test Plan: {F54058} Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T3709 Differential Revision: https://secure.phabricator.com/D6739
2024-11-23 15:22:41 +01:00 · 2013-08-13 10:11:05 -07:00 · 2013-08-13 10:11:05 -07:00 · b7387f314b
commit b7387f314b
parent f37b315dec
1 changed files with 26 additions and 0 deletions
--- a/src/applications/config/check/PhabricatorSetupCheckPHPConfig.php
+++ b/src/applications/config/check/PhabricatorSetupCheckPHPConfig.php
@ -24,6 +24,32 @@ final class PhabricatorSetupCheckPHPConfig extends PhabricatorSetupCheck {
      return;
    }

+    // Check for `disable_functions` or `disable_classes`. Although it's
+    // possible to disable a bunch of functions (say, `array_change_key_case()`)
+    // and classes and still have Phabricator work fine, it's unreasonably
+    // difficult for us to be sure we'll even survive setup if these options
+    // are enabled. Phabricator needs access to the most dangerous functions,
+    // so there is no reasonable configuration value here which actually
+    // provides a benefit while guaranteeing Phabricator will run properly.
+
+    $disable_options = array('disable_functions', 'disable_classes');
+    foreach ($disable_options as $disable_option) {
+      if (ini_get($disable_option)) {
+        $message = pht(
+          "You have '%s' enabled in your PHP configuration.\n\n".
+          "This option is not compatible with Phabricator. Remove ".
+          "'%s' from your configuration to continue.",
+          $disable_option,
+          $disable_option);
+
+        $this->newIssue('php.'.$disable_option)
+          ->setIsFatal(true)
+          ->setName(pht('Remove PHP %s', $disable_option))
+          ->setMessage($message)
+          ->addPHPConfig($disable_option);
+      }
+    }
+
    $open_basedir = ini_get('open_basedir');
    if ($open_basedir) {