Hi, We now have clarification of open_basedir that it shouldn't be rely upon when security matters [1] since there are a lot of ways to game it. Now, with many well-known exploitable UAFs in php, it is clear that people could easily getshell if they can execute php codes. Therefore, I suggest to make the same clarification on documentations to warn people that this is an extra safety net rather than something anyone can fully rely on.
We already have the security policy on php/php-src github repo to reject disable_functions bypass as a security issue [2] although it is not listed in wiki [3]. Given that, I think it is reasonable to have warnings on our documentation to avoid the false sense of security it weirdly provides. I know this should goes to [email protected] but I think this requires further discussion internally as a security policy issue, like what we've done on open_basedir before [4] Best regards, Weilin Du [1] https://www.php.net/manual/en/ini.core.php [2] https://github.com/php/php-src/security/policy [3] https://wiki.php.net/security [4] https://externals.io/message/115411
