search

Whissi / realpath_turbo

When PHP's open_basedir restriction is set, PHP disables the realpath cache for security reasons. This may hurt your application performance. The realpath_turbo PHP extension re-enables the realpath cache. Warning: This could be a security problem in your environment! Please read the README for further information.
BSD 2-Clause "Simplified" License
45 stars 13 forks source link

Allow configuration from .user.ini #22

Open ferfebles opened 1 year ago

ferfebles commented 1 year ago

realpath_turbo can only be configured from php.ini.

We have a number of webservers that all serve several PHP applications. We would like to restrict each app to their own open_basedir, but with a general configuration in php.ini we have to broaden open_basedir to include the folders of all the applications.

We had open_basedir configures in the .user.ini application folder. But that's not possible with realpath_turbo.

Could the mode for realpath_turbo changed from PHP_INI_SYSTEM to PHP_INI_PERDIR allowing the use from .user.ini?

Whissi commented 1 year ago

I don't think that this would be a good idea. With PHP_INI_PERDIR, the user owning the directory could change this setting which would have security implications. Imagine a web application will get compromised. In that case the attacker could create .user.ini file and change disable_dangerous_functions or even set different open_basedir.

For PHP-FPM world I recommend to put this into the pool configuration via php_admin_value syntax. Not tested but using per-dir settings via php.ini like

[PATH="/var/www/example.org"]
realpath_turbo.open_basedir="/var/www/example.org:/usr/share/php"

which would set realpath_turbo's setting open_basedir to "/var/www/example.org:/usr/share/php", should work, too.