Sent from my iPhone
在 2012-5-21,18:42,Stefan Esser <stefan.es...@sektioneins.de> 写道:
> Hi,
>
> it recently came to my attention that the function whitelist and blacklist
> feature inside Suhosin is easily bypassable since PHP 5.0.
>
> The reason for this is that PHP is no longer calling the
> zend_execute_internal() hook if a function is called from another function
> (via zend_call_function)
>
> In the days of PHP 4 the code looked like this:
>
> if (!zend_execute_internal) {
> ((zend_internal_function *)
> EX(function_state).function)->handler(EX(opline)->extended_value,
> EX(Ts)[EX(opline)->result.u.var].var.ptr, EX(object).ptr, 1 TSRMLS_CC);
> } else {
> zend_execute_internal(&execute_data, 1 TSRMLS_CC);
> }
>
> Nowadays (since PHP 5.0) the code was moved from call_user_function_ex to
> zend_call_function and just looks like this:
>
> ((zend_internal_function *)
> EX(function_state).function)->handler(fci->param_count, *fci->retval_ptr_ptr,
> fci->retval_ptr_ptr, fci->object_ptr, 1 TSRMLS_CC);
>
>
> While this has no immediate impact for average PHP users, it basically kills
> the possibility for an extension like Suhosin to catch all function starts.
Actually, there is one, use user opcode handler hook the fcall series
opcodes, that is how I did in taint extension.
http://svn.php.net/viewvc/pecl/taint/trunk/taint.c?view=markup&pathrev=325586
line 995
Thanks
> This should also be a problem for your DTRACE support. And IIRC Xdebug was
> hooking this point (at least in the past), too.
>
> My suggestion is to change the code to call the hook again.
>
> Regards,
> Stefan
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
