I need to prevent users from accidentally exposing private data stored in the environment variables with phpinfo(). Is there a way to configure apache or php.ini to disallow sections rendered with phpinfo?
2 Answers
The information that phpinfo() displays is a bit all or nothing. You can tell phpinfo() to limit what information to display but you have to trust your users to call the function correctly:
You can disable the function entirely using the disable_functions directive in your php.ini file:
http://www.php.net/manual/en/ini.core.php#ini.disable-functions
For example:
disable_functions = phpinfo If you're feeling adventurous you could grab the PHP source, hack out the bits that render the Environment variables, then recompile. For example, in PHP 5.3.6 the relevant code can be found in /ext/standard/info.c at around line 950:
if (flag & PHP_INFO_ENVIRONMENT) { SECTION("Environment"); php_info_print_table_start(); php_info_print_table_header(2, "Variable", "Value"); for (env=environ; env!=NULL && *env !=NULL; env++) { tmp1 = estrdup(*env); if (!(tmp2=strchr(tmp1,'='))) { /* malformed entry? */ efree(tmp1); continue; } *tmp2 = 0; tmp2++; php_info_print_table_row(2, tmp1, tmp2); efree(tmp1); } php_info_print_table_end(); } 
You can call it like this:
phpinfo(INFO_ALL & ~INFO_ENVIRONMENT); to remove the "Environment" section.
But it still prints the PHP Variables section containing all $_ENV values, so
phpinfo(INFO_ALL & ~INFO_ENVIRONMENT & ~INFO_CONFIGURATION & ~INFO_VARIABLES);
strips these out, so there is not much left.
The section Apache Environment may still be visible (if you use Apache), showing some sensitive information.
phpinfo();entirely.