In some common environments, PHP Execution environments can bypass php. security-related configuration set in ini execute commands or do other operations details: In the PHP-FPM environment fastcgi run PHP, because the PHP-FPM cannot know where our fastcgi request comes from, so I can mimic the fcgi protocol to initiate forged requests to the PHP-FPM. And since 5.3.3, The PHP-FPM allows the use of fcgi parameters PHP_VALUE, PHP_ADMIN_VALUE to set the content of php. ini, so you can use this to override the original php security settings. The result is as follows:Solution:In fact, this is really not very well repaired. You can temporarily remove the support for PHP_VALUE, but this is only a temporary solution. Let's see how PHP officially handles it. After all, he could not solve the problem that "The PHP-FPM could not know where our fastcgi request came from. This is another architecture problem.