Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:104438
Return-Path: <cmbecker69@gmx.de>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40683 invoked from network); 15 Feb 2019 17:17:13 -0000
Received: from unknown (HELO mout.gmx.net) (212.227.15.15)
  by pb1.pair.com with SMTP; 15 Feb 2019 17:17:13 -0000
Received: from [192.168.2.104] ([79.222.45.201]) by mail.gmx.com (mrgmx001
 [212.227.17.190]) with ESMTPSA (Nemesis) id 0LwaQZ-1h8WCq2eYp-018Mgw for
 <internals@lists.php.net>; Fri, 15 Feb 2019 15:00:51 +0100
To: PHP internals <internals@lists.php.net>
Message-ID: <46354329-38ca-82a2-352d-71394e0ce6bd@gmx.de>
Date: Fri, 15 Feb 2019 15:00:52 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.5.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K1:R0q35F/tqZEE/GDKH76tDEyIRZ5sYE7mZq/uHegeTxeZMZk3KzG
 pmkDwagLPxcQ0n8CpJ5FnRi4vL9kXhQwDxR5uRlowOYC78DQY/WfVvx3PIKMw5J/EwLRVvH
 8clSr4fD6u/46L/OFhL/g3AtVM9qmBkpNWHtM4Eg3gt9LyoF1VLA/bkc1K4OMljZVxR+msH
 2eRhpsT1htxnXQ603nMqA==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:5+Mc2iPJTsg=:FPQmSCdNNTEbo2OFufUz4g
 81pNfnZ2HUIV5dQ9PymFgYqFe4Cf8hJtKzLz/0HdWwPH7KR7Og0jy/tw6JhJx5AMzIIRKN/C4
 Gnj1Pq9t0QP1CF5pmxTjhpatURmamu+jHuh3ZPcIqezHA/VnmvP8y3lmKAYyzbp7Gh965OCdm
 tfjAib/qL0AhmqnY6rSB4ajXglnA+aoM+sXniYDDx85/ineydRFS4RlBSrvJbTxixszEo3OO2
 sB5NqYJWXJGdSeGWqRDRY6i7HXNmjRSmbrMFYoR3xzBeS4kOqbACu1nK70MJk34ix1elDDxm/
 SRlpgg2QwbHKl21rmFP2BtG55LZjSRu3UAolhDA7iGMHFo/L0gYukqNY5g3S577UdwNACyrje
 KmP3xbzTPISryPDQe5gssMdRdEbc9BJN/arq6u5asP+/MQVSPagh3RSW+7q0yoNA161YCNvlS
 1Jp+yXTSz9ab6jMV7Iv0Oyd0HC9yQyPc0H7S92NevcZCdyNHrKbjw5bCobCEvTmcfPFoDlPwy
 TJd9fXQx1IP5XdWcXnyUVTlIeA78MBiHugR7XCQmbzZPooN0Bs+c7Bo6J/5G2/iaVPOFbN1G3
 /E7UHKX31LeJHRsqRh0Af0stITKPy5fnOpRExgJEsQQ62q1EwVDk6BHVMsSgDHmW+LnCOx6zO
 nbtVoR4BXG5LsxNaXbBfsh7OTNm4HkFbWiWtcLJpigxAzTU6VpP5/T74gl8PEpNYlG8z77bAp
 886At5Eyrk6sx38MD4PWxTNkEEw49fNK6T4PZlSvpEYin/5z8df2SdkqVRIsSbUvztwfJbLTK
 cj4QqJdNo546cuu9MY6nnYbI5qdO27iapkhombZ7xhDuzY5Q2ugvlsVWY0UkWkLybYiTXcP6m
 ItNEsmHsu2E/kOJIZH+hkB1zi/bjJ8G+z9TVB0mEnJp2G6gTvGV8O4uDuSarEi9yFYZhZTyJS
 lR93ktFPzaA==
Subject: =?UTF-8?Q?Mitigate_=e2=80=9cMagellan_vulnerabilitites=e2=80=9d_in_P?=
 =?UTF-8?Q?HP_7=2e2=3f?=
From: cmbecker69@gmx.de ("Christoph M. Becker")

Hi!

You may have heard about the so called “Magellan vulnerabilities”[1]
which potentially affect scripts which allow untrusted users to execute
almost arbitrary SQL queries.  BohwaZ provided a pull request[2] which
introduces an ini setting which enables defenses built-in to SQLite ≥
3.26.0 against the corruption of tables via SQL.

In my opinion, adding this ini setting to PHP-7.4 is a no brainer, but I
suggest that we backport it to PHP-7.2 as well.

And likely we should offer something of this kind for PDO as well.  Not
sure if a driver specific ini setting would be suitable.  Suggestions
welcome!

Thoughts?

[1] <https://blade.tencent.com/magellan/index_en.html>
[2] <https://github.com/php/php-src/pull/3709>

-- 
Christoph M. Becker