I have installed Suhosin on my dedicated CentOS server. centos6.7+php5.4.41+suhosin0.9.36
I would like to enable Suhosin's disable eval function. I went through the documentation and from what I understood, the best scenario was to add this in php.ini:
[suhosin]
suhosin.executor.eval.blacklist= phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown
but it will not prevent eval from executing phpinfo(),<?php eval(phpinfo());?>.
Really hoping someone can point out my mistake.
Your example executes phpinfo(), then tries to evaluate the output. Given your configuration the following example will be blocked by suhosin:
eval("phpinfo();");
Please consider using whitelisting as opposed to blacklisting, if applicable. From a security point of view it is always best to allow a limited set of functions rather than guess all the bad functions.
Also note, that eval itself is not a function and cannot be blocked by disable_functions and friends. Suhosin provides suhosin.executor.disable_eval for that purpose.