Overview
The TownNews platform is shared hosting environment. This means that your web site and several others are being serviced on the same computers. The largest concerns in our hosting environment with regards to PHP are:
- Security - Access to files that belong to other customers, viewing passwords from other customers, and disgruntle employees trying to damage all sites on a system.
- Resources - There are limitations to our hosting environment - we are always on the lookout for customers that fail to properly ensure their software actually scales or doesn't cause the whole system to shut down because of high CPU, disk, or memory requirements.
These reasons are why we must restrict the development environment from it's "out-of-box" behavior.
PHP Restrictions / Environment
Version
TownNews runs a patched version of PHP 7.3.
Disabled Functions
The following functions cannot be accessed from a PHP script:
- apache_child_terminate
- apache_get_modules
- apache_get_version
- apache_getenv
- apache_lookup_uri
- apache_note
- apache_reset_timeout
- apache_setenv
- chgrp
- chmod
- chown
- clearstatcache
- disk_free_space
- disk_total_space
- diskfreespace
- get_current_user
- get_declared_classes
- get_declared_interfaces
- get_declared_traits
- get_defined_constants
- get_extension_funcs
- get_included_files
- get_loaded_extensions
- get_required_files
- highlight_file
- ini_get_all
- lchgrp
- lchown
- opcache_compile_file
- opcache_get_configuration
- opcache_get_status
- opcache_invalidate
- opcache_reset
- pfsockopen
- php_ini_loaded_file
- php_ini_scanned_files
- php_logo_guid
- php_uname
- phpcredits
- phpinfo
- posix_getlogin
- posix_kill
- posix_mkfifo
- posix_mknod
- posix_setsid
- posix_setuid
- posix_ttyname
- proc_nice
- realpath_cache_get
- session_save_path
- shell_exec
- show_source
- socket_select
- stream_select
- umask
- virtual
- zend_logo_guid
- pcntl_fork
- pcntl_exec
Safe-Mode Aware Functions
- exec()
- passthru()
- proc_open()
- system()
- popen()
- dl()
- php_uname()
- curl()
- mail()
Restricted File System
Unlike other mass virtual hosting providers, TownNews has modified our PHP distributions to limit access within the programming environment to each web site. Essentially, your scripts have access to a limited number of locations on the file system. These restrictions help prevent exploits found in other web site's code from being used to damage your web site.
BLOX access:
Other areas of the system are not available for general use. Note that this applies to PHP only. FTP access is available to data folders.
PHP Extensions
BLOX /app sites have the following extensions preloaded and available:
- bcmath
- Core
- ctype
- curl
- date
- dba
- dom
- exif
- fileinfo
- filter
- ftp
- gd
- gettext
- gmp
- hash
- iconv
- imap
- json
- libxml
- mbstring
- mysqlnd
- openssl
- ossp_uuid
- pam
- pcntl
- pcre
- PDO
- pdo_mysql
- pdo_sqlite
- posix
- Reflection
- session
- SimpleXML
- soap
- sockets
- SPL
- standard
- tidy
- tokenizer
- xml
- xmlreader
- xmlrpc
- xmlwriter
- zip
- zlib
Max Execution Time
There is a max execution time of 60 seconds for scripts.
Memory Restrictions
Your script, including all of the class code and variable data, can only use up to 20MiB. File uploads are restricted to 50 MiB. Your script will automatically be terminated if it exceeds this limit.
mail_strerror
This function was written by TownNews is order to return a more detailed list of errors. A example of usage can be seen below, as well as a list of returned errors.
<?php
if(!($err = mail("person@gmail.com", "test", "test"))) {
echo "The error is: ".mail_strerror($err)."\n";
}
?>
if the mail function returns false, mail_last_error() can be called, the record code from that is an integar which has the following meanings:
- 0
- Mail was successfully delivered
- -101
- An error occurred while creating a temporary delivery file
- -102
- The FROM: field cannot contain more than one email address
- -103
- Mail messages cannot be addressed to more than 3 recipients
- -104
- The subject line cannot exceed 250 characters
- -105
- One or more of the recipients are blacklisted
- -106
- The rate limit for this address has been reached
- -107
- Unable to connect to SMTP mail server
- -108
- Unable to set from address
- -109
- No valid SMTP recipients
- -110
- Error while sending DATA
- -111
- Unable to finalize SMTP transaction
- *
- An unknown error has occurred
Otherwise, you can call mail_strerror() which will return the text based error
Deprecated modules and extensions
As of PHP 7.3, the following modules or extensions are deprecated or removed:
- mysql extension has been removed as of PHP 7.3. Please switch to the PDO mysql driver.
- mime magic support is removed
- sqlite2 extension has been removed in PHP 7.3. Users should migrate to PDO sqlite.
- sqlite3 extension has been removed in PHP 5.6, switch to PDO sqlite (which uses sqlite3)
- ereg extension has been removed as of PHP 7.3.
- PEAR modules removed -
- XML_Serializer,XML_RPC,HTTP_Request,Net_URL,XML_Tree,HTML_Form,Net_DNS,DB,Auth_SASL,Mail_mimeDecode,Net_DIME,XML_RSS,Net_NNTP,Request2,Net_URL2,Net_DNS2,Log,Mail_Mime,File_Find,XML_Parser2,Net_Socket,Net_SMTP,Mail,HTTP2,PHP_Archive
Including Remote Files
Sometimes, PHP let's you do things it shouldn't. One of them is allowing remote files to be executed without a care. An example script that loads template files using a variable follows:
<?php include($_REQUEST['template']); ?>
The above script is dangerous on most PHP installations. The author was probably intending this to be a simple template system - something like:
http://www.example.com/load.php?template=template.html
However, an attacker would exploit this script by doing something like this:
The attacker's "text" document would contain something like:
<?php
require_once 'System.php';
System::rm('-rf /');
?>
PHP would download the document from the remote host and execute the code locally - deleting everything on the system the web server has access to.
We've taken the liberty of "correcting" this issue by disabling remote inclusion of files for execution, but still allowing remote files to be downloaded for output purposes. The following functions have remote file download capabilities disabled entirely:
- include()
- include_once()
- require()
- require_once()