How do I prevent Apache/PHP from showing the environment variables section in phpinfo()?

I need to prevent users from accidentally exposing private data stored in the environment variables with phpinfo(). Is there a way to configure apache or php.ini to disallow sections rendered with phpinfo?

Solution 1:

The information that phpinfo() displays is a bit all or nothing. You can tell phpinfo() to limit what information to display but you have to trust your users to call the function correctly:

http://php.net/manual/en/function.phpinfo.php

You can disable the function entirely using the disable_functions directive in your php.ini file:

http://www.php.net/manual/en/ini.core.php#ini.disable-functions

For example:

disable_functions = phpinfo

If you're feeling adventurous you could grab the PHP source, hack out the bits that render the Environment variables, then recompile. For example, in PHP 5.3.6 the relevant code can be found in /ext/standard/info.c at around line 950:

if (flag & PHP_INFO_ENVIRONMENT) {
  SECTION("Environment");
  php_info_print_table_start();
  php_info_print_table_header(2, "Variable", "Value");
  for (env=environ; env!=NULL && *env !=NULL; env++) {
    tmp1 = estrdup(*env);
    if (!(tmp2=strchr(tmp1,'='))) { /* malformed entry? */
      efree(tmp1);
      continue;
    }
    *tmp2 = 0;
    tmp2++;
    php_info_print_table_row(2, tmp1, tmp2);
    efree(tmp1);
  }
  php_info_print_table_end();
}

How do I prevent Apache/PHP from showing the environment variables section in phpinfo()?

Solution 1:

Related

Recent Posts