Description
Description
php 8.2 at least.
if disable_functions is null in php.ini but populated in apache config php_admin_value , its ignored, phpinfo says its there but those functions like the dangerous exec is there and usable. why phpinfo says we are protected but in fact are not, thankfully we found out 3 weeks after upgrading from 7.4 which I know worked well in protecting the systems. I also tonight found it ignores the php_admin_value upload_tmp_dir as well.
Thankfully it still knows what to do with open_basedir which still appears to work.
MY understanding of disabled functions changes in 8.0 meant this (apache vhost) method was complmentary, to the php.ini, but its ignored outright.
This is using apache 2.4 with mod_php, from php 8.2.29 tested and confirmed with this release when we had it with .28 as well.
PHP Version
PHP 8.2.29 (cli) (built: Jul 3 2025 19:24:07) (ZTS)
Copyright (c) The PHP Group
Zend Engine v4.2.29, Copyright (c) Zend Technologies
Operating System
slackware 15.0