[TYPO3-english] php's disable_functions

Claudio Strizzolo claudio.strizzolo at ts.nogarb.ageinfn.it
Mon Nov 30 10:31:59 CET 2009


Hi all,
several security-related sites suggest disabling some potentially 
dangerous PHP functions on web servers as a method to improve security, 
together with other configurations and tools.
This is done by adding a disable_functions directive to php.ini, i.e.:

disable_functions=system,exec,passthru,shell_exec, 
popen,phpinfo,escapeshellcmd,escapeshellarg,proc_open,show_source

Some functionalities in Typo3 (i.e. Imagemagick) need some of those 
functions to be enabled (exec, for instance), so some of those functions 
cannot actually be disabled.
Could anyone suggest a list of functions that might be safely disabled 
through the above directive, without limiting Typo3 capabilities?
I'd like to apply the above to a shared server hosting both Typo3-based 
and not-Typo3-based virtual hosts. Unfortunately enough, 
disable_functions can not be applied to single virtualhosts.
Thanks in advance,

Claudio


More information about the TYPO3-english mailing list