I've been working on a PHP application that uses the fpassthru built-in function, which reads contents from a stream or file pointer, and outputs them to the output buffer. It's very similar to the readfile function, but allows me to start the output at a specific offset.
Most hosting providers I tested my product with, worked just fine, and these include shared multi-tenant hosting environments. However, I found a few that have the fpassthru() function "disabled for security reasons". I spent hours researching why somebody would disable the fpassthru function, but not functions such as fopen, fread, file_get_contents, as well as readfile, but I couldn't really find anything useful.
This probably sounds silly, but my closest guess is that these hosts disabled fpassthru mistaking it for passthru, which does indeed warrant disabling, especially in shared environments. Having said that, the actual passthru function (along with exec and the rest of the family) were also disabled on these hosts.
I tried reaching out to these hosts and asked them why.
I couldn't get past sales at Flywheel, they said they couldn't answer my question, and only support can. And in order to contact support I have to become a customer. Classic.
RunCloud seemed a bit more promising at first, I got through to a "Level 3 Systems Engineer", and it took a few more days to get to a "Sr. Systems Enginneer" from whom I got the following statement:
it is the best practice for PHP on RunCloud and it is the best practice for us
I asked them to elaborate, but haven't heard back in a while, so I lost hope.
Just to clarify, I'm not looking for ways around fpassthru(). I'm looking for reasons why it's occasionally listed alongside "dangerous" functions like exec(), system(), passthru(), pcntl_fork() and others, while having readfile(), file_get_contents(), etc. work just fine.
If you have any insights, please share!
