security - How to unregister specific "Registered PHP Streams"? -

security - How to unregister specific "Registered PHP Streams"? -

for security reasons have disabled function glob in php.ini , works expected, noticed phpinfo reveals next information:

registered php streams: php, file, glob, data, http, ftp, zip, compress.zlib, phar

so if take next source:

$it = new directoryiterator("glob://c:\wamp\www\*"); foreach($it $f) { printf("%s: %.1fk\n", $f->getfilename(), $f->getsize()/1024); }

it still homecoming contents of specified directory.

how can globally unregister php streams such glob?

the short reply is: don't bother trying.

php finish plenty language if going write dirty of vulnerable code, can through block set in place. thing disabling functions create application developers' lives hell.

it's been proven things safe_mode , open_basedir don't actually secure anything. reason twofold:

black lists (which safe_mode is) don't work. has been proven on , on , over.

you can't secure on top of insecure base. it's late. php has plenty access if disable fun parts, people can still around it.

instead, protect bottom up. install chroot jail, , run php within that. utilize proper permissions. vet code run on server. monitor server intrusions. nil fancy. old fashioned sys-admin work...

to reply original question

the way can unregister stream wrapper via stream_wrapper_unregister(). utilize auto-prepend-file (to run code before every script).

but realize it's trivial implement glob in php. there isn't much point in disabling it...

php security