Default php ini now disable php system dangerous function

[froozeify]

Disable dangerous PHP functions to prevent RCE.

I checked on GLPI 11 for usage of those command, only core tools use them.
But those tools are not exposed in PROD image so it should not cause any issue.

I didn't check for plugin as they should normally not use any of this system call (just a doubt if they expose sf commands)

[cedric-anne]

1. The tools directory is not present in the GLPI release archives, so there is no need to allow usage of the proc_open function in the glpi/glpi image.

2. IMHO, for the dev environment, there is no need to apply this configuration for the CLI context. Indeed, as long as we have to allow the usage of proc_open, an RCE is possible and disabling other functions is not sufficient. Since this is a dev environment, this is not an issue. Keeping the Apache configuration is still interesting as it can permit to dectect unexpected call to these function in our code.

3. Could you check if we have the posix extension in our docker image ? Many posix_* function should be disabled too in this case, but not the posix_geteuid function for instance.

4. The pcntl_async_signals, pcntl_signal, pcntl_signal_get_handler, pcntl_signal_dispatch functions should not be disabled, they are useful to handle signals coming from the system.

5. As a bonus, maybe we could add a rule in our custom PHPStan extension, to mark usage of these methods as an issue. It would not detect usages inside vendor packages, but, at least, it could permit to prevent using these functions in our code.

[froozeify]

I had disabled for the dev env, so we could mimic as close as possible to the prod image.

PHPStan extension : glpi-project/phpstan-glpi#16