That's a nice find. People rely a little heavily on this, and it only says in the manual "This directive allows certain functions to be disabled." but its not a security sandbox.
I think PHP has in the past explicitly stated its not a security feature.
There have been a few issues over the years with this.
Anyway - good OS security is required anytime you run software!
from a quick skim, it looks like the underlying bug is just not handling object resurrection[1] at all (FreeMe adds a reference to $array while its destructor is called).
I'm not really familiar with PHP but this seems like a surprising oversight for a popular language. Does PHP just not care about memory corruption? The fact that it is this easy is far more surprising than it being used to circumvent a questionable security feature.
4 comments
[ 3.2 ms ] story [ 23.1 ms ] threadI think PHP has in the past explicitly stated its not a security feature.
There have been a few issues over the years with this.
Anyway - good OS security is required anytime you run software!
heres one from 6 years ago https://bugs.php.net/bug.php?id=76047
I'm not really familiar with PHP but this seems like a surprising oversight for a popular language. Does PHP just not care about memory corruption? The fact that it is this easy is far more surprising than it being used to circumvent a questionable security feature.
[1] https://en.wikipedia.org/wiki/Object_resurrection