eval(): Function Black- and Whitelist

If eval() is the answer, then you asked the wrong question

Applications should not use eval() and use other constructs whenever possible. However for administrators it is not possible to enforce this restriction on 3rd party code. Therefore this feature allows to enable some functions (whitelist) for usage during eval() statements or to disable them (blacklist).

However be warned, that this protection is not a 100% protection. First of all it is usually wise to not use blacklists and only use whitelists, because otherwise a change in PHP or an overseen function might allow bypassing the blacklist restrictions completely.

Examples for this are the functions register_shutdown_function(), register_tick_function(). Both functions could be used from within eval() to register a dangerous function which will later be called when the eval() statement has finished. Suhosin will automatically enforce eval() restrictions on functions that are created during eval() statements, but an attacker might register a dangerous function inside the application as shutdown or tick function.

Additionally you must realise, that even disallowing all functions within eval() will not protect you from breaking out. The best example is a code example like this.

<?php
   ...
   eval($userinput);
   ...
   include $path_to_app . "/footer.php";
?>

It should be obvious, that in the example above a malicious attacker could simply change the value of the $path_to_app variable and include whatever he wants. (Unless f.e. Suhosin stops him from including a remote URL)

Back to the feature list


© Hardened PHP Project