I have installed Suhosin on my dedicated CentOS server. I have about 80 accounts on it, most of them running Joomla or Wordpress sites. Some of them are outdated and sitting ducks when it comes to hacking and injection of eval code.
I would like to enable Suhosin's disable eval function but without breaking the functionality of sites that use eval in a legit way. I went through the documentation and from what I understood, the best scenario was to add this in php.ini:
suhosin.executor.disable_eval = On
suhosin.executor.eval.whitelist =
suhosin.executor.eval.blacklist = include, include_once, require, require_once, curl_init, fpassthru, file, base64_encode, base64_decode, mail, exec, system, proc_open, leak, syslog, pfsockopen, shell_exec, ini_restore, symlink, stream_socket_server, proc_nice, popen, proc_get_status, dl, pcntl_exec, pcntl_fork, pcntl_signal, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, socket_accept, socket_bind, socket_connect, socket_create, socket_create_listen, socket_create_pair, link, register_shutdown_function, register_tick_function
From what I understood reading the documentation, anything that was in the blacklist would be dropped and logged, since the whitelist is empty. But that wasn't the case. It seems that EVERYTHING was dropped and logged.
Since making a whitelist is next to impossible, I would like to ask if this has to do with my misunderstanding of the configuration or something is not working as supposed to.
Thanks in advance for any assistance.
Set
suhosin.executor.disable_eval
to Off. If it is set to On like in you example, eval() will get disabled completely (and this is what you are seeing in logs).
Btw, I don't think that there is a legit way of using eval() in PHP applications. Applications which are really using it should be avoided. I would turn it off completely unless something crashes and then investigate this.