Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103649 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 47070 invoked from network); 29 Dec 2018 14:56:24 -0000 Received: from unknown (HELO mout.gmx.net) (212.227.17.22) by pb1.pair.com with SMTP; 29 Dec 2018 14:56:24 -0000 Received: from [192.168.2.103] ([91.8.175.134]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MT74k-1gkK432O0M-00S3id; Sat, 29 Dec 2018 12:27:57 +0100 To: Stanislav Malyshev , Dmitry Stogov , PHP internals References: Message-ID: <145164c0-9145-5527-c8d2-8a069a89b9b8@gmx.de> Date: Sat, 29 Dec 2018 12:27:58 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K1:fhPIXmsgmu2YtDXcKl9WdsY0EsLq3r4koflxN9dwm/WQGqym6Ff MXtvSX7KjxnHhz/uFqrrzwk3PfAa0IMxNNG0f09aeBwU6VurM3TiPj6UzR2xqOAvVItAyKJ YEJHnc6e3ngMA6KPvXzlkGkBygpkyhfVPd+LZXQVW9iuU5dh8AeaGMuJC9T0cqvkW8ifVZE ZQEtfkLUAUWvb/7joUqNg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:/u4+mVpV2w0=:0GngMk04klPyGBmijJ4UrE 6sSCd3479yQo346lWN+y+C/0z0CFwqkI43DNl3NB9fzD7puu/vVFvLXK+eiU8XC0CmYrKdbpz F7h9mGRXndqruu6KXi11MdbqY1H9cG5lyDaJ01z4jvsrSCiCtWAG4T6h8NGiVt0lzs8PSZtXV XGhIYSM20CGmgX4jZ9m5F9xd1HFMUdtEr81TpxAt/oh/BQIHaxy//DK1rwOe6wT1WrOBdE+6B AJ/cnEAJz9AcVrWxlwDiuK7yX5zbVbluSWiEptWh3bgSANb7TxbJ6441St0vYkYBXu+dz1eBb ihsQBfz8K/0q62pxo12CNFnZ9Slr8qYJxMwITrmmDxpGOuO+fgfZIvQt2DR/+187oFPvB+mGY RHvcfaO0oJVqDGtcU5o8NP9bszdqtDrE5K58GHLumD4Bbb9L/YsS+cHladOZJaMsBs3q4CksG ZQf/BmgysUB2kylQmPWb8IBgSXCGmDYgr7qvfk7vS9fPqfn3J9dTo72DhOrxQXs5BVgpyNyXy jvbn+ZLc55md6g2na6VgmRGmNeKRKvUsv782KNx88hmXQ0ybmSQufdj6SvXrVwUJ8D1RBRhZl nEL9r2pzM+2FmKEqnaGELjViJO3rzznh2V/4pem/hFHZkB/R9RCZ7Do1QTOEEu16IKSGfDBG5 PhdL7m+LLX4iiBi7bUezShAq5Ues3cFDl+hiGdJnbfWX0Au9qv8F/0I/3iy/nm+DKLOKr+bEj UjYrJCXuUi0Mn40gpMZ+6sPLvi/FqY5Ey0jQq6KAiNxirkplcrmW+zehCvy+182JHMwB3NwtI w47cim85kw+spfDE+cZWCxhX2YzXnXR5kZvaVEUezVHmdJGOQWm1nCYW/mslHR5DJXjQdXGbh GEZ19fF4tXGXG0Uet33F1m8mpeBeiL36RCOOpFV7MuJJLEoWTMdmG9TJNzHUoM Subject: Re: [PHP-DEV] [RFC] [VOTE] FFI - Foreign Function Interface From: cmbecker69@gmx.de ("Christoph M. Becker") On 29.12.2018 at 00:59, Stanislav Malyshev wrote: > If this extension were not enabled by default and required explicit > enabling action to build - that's fine, if you did it, we assume you > know what you're doing enough to assume the risk. But if it's present > and enabled by default in a common PHP build, I am concerned that we're > creating a small stepstone making PHP systems easier to exploit. Again, > it's not a security issue per se, and there are layers of that should > prevent any problem - but that's the thing, security works in layers, > and FFI would make it one layer weaker. As I understand it, the extension would not be compiled by default, but rather has to be enabled using an explicit --with-ffi configure option[1] (or --enable-ffi on Windows[2]). Furthermore, the extension can't be compiled statically (I presume this is by design), so some action would already be required before ffi.enable=preload would be effective. [1] [2] -- Christoph M. Becker