Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:107862
Return-Path: <benjamin.morel@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57897 invoked from network); 26 Nov 2019 18:17:13 -0000
Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12)
  by pb1.pair.com with SMTP; 26 Nov 2019 18:17:13 -0000
Received: from php-smtp3.php.net (localhost [127.0.0.1])
	by php-smtp3.php.net (Postfix) with ESMTP id B0F6F2D1FEA
	for <internals@lists.php.net>; Tue, 26 Nov 2019 08:11:54 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,MIME_QP_LONG_LINE,
	RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN:  
X-Spam-Virus: Error (Cannot connect to unix socket
	'/var/run/clamav/clamd.ctl': connect: Connection refused)
Received: from mail-wr1-x441.google.com (mail-wr1-x441.google.com [IPv6:2a00:1450:4864:20::441])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp3.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 26 Nov 2019 08:11:54 -0800 (PST)
Received: by mail-wr1-x441.google.com with SMTP id i12so23214216wro.5
        for <internals@lists.php.net>; Tue, 26 Nov 2019 08:11:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=content-transfer-encoding:from:mime-version:subject:date:message-id
         :references:cc:in-reply-to:to;
        bh=l+VMy/+r7WQed3xFl7/pP8Ul9XGafIX2obo0NB/IFPc=;
        b=ggwUXY9Bzbb6aWxBdUBbsS07VwTtjhVK9msGZMvpom+9d/KVaeFFF0NcdXDfQax0rZ
         VSXd5Ji6K6PrGKIhR6rxbTvvEtylbSa2pjr3T+udP140LwTN3UkdWEgd3s6GlwWlVgxi
         Bm5c2THWDqxde2+MlytgZu/7/fEINZ0BDjStobubd6coIBAQOfxkI/BDClN3ukgXL6dp
         qX4Z+i3krYKStXLmYTJicnWoFtCKdDjMA8A7DyR6LvhwyAum/bE2ZsGImq5SOdEWHZcD
         2QeoUzHLN0E2AoRqI9ovo1yqyIb+JBJketXxa5s/tnBbhdSFV1cRDnRBBabdE+BuZ7Do
         PpwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:content-transfer-encoding:from:mime-version
         :subject:date:message-id:references:cc:in-reply-to:to;
        bh=l+VMy/+r7WQed3xFl7/pP8Ul9XGafIX2obo0NB/IFPc=;
        b=mMD7NbZTcztniBz2MhxI/Axok0ByGh8GqYBNjZxkZ/WzoOHQ9VxTI4Cs/EXoe2Fl/y
         4IaRVWUl02JZnfpHxYQU6V9MUtUgLDken95dkFnC3V3xtaNszZuLlsWvxFNHQ+f/88BJ
         Wmo0F/I1b3zi9IS7501XaN7E3RF0dwY2k6u8JQSAJckQbMFvNQnOpHgF3W+ROIxlZa/k
         dzjxPkosSMGf4/hAJ+VmHp6XBjnv3G7sj7mvw2Q/pn7jpSKv+1DU5I1Kt4AT3oIb+MNx
         MO7IZnLmooqIPFM4Kc6BWUTG9nYp6+LUvVvZpx3zIOEnwMmMfGglHBTQN2ivmC1o0nmd
         P+TA==
X-Gm-Message-State: APjAAAWejc9FOdq4JZaEhhiGZKD6cF7BD3Kbcou+fVl1Bt+0dEbXihVF
	vBFNns29kFCsibt1HzvJIos=
X-Google-Smtp-Source: APXvYqzqVN64muOo0oDwweSi5KY6LO94QX6969AZ1Zl1FbpBuRXErqNbcWged4DlLmF6VOfR+NytJg==
X-Received: by 2002:a5d:5092:: with SMTP id a18mr35452483wrt.297.1574784712541;
        Tue, 26 Nov 2019 08:11:52 -0800 (PST)
Received: from [10.141.188.47] ([37.171.205.23])
        by smtp.gmail.com with ESMTPSA id u16sm15347544wrr.65.2019.11.26.08.11.51
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 26 Nov 2019 08:11:51 -0800 (PST)
Content-Type: multipart/alternative; boundary=Apple-Mail-2CC6A52C-DF2A-4E7E-99BD-F548F3466670
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Tue, 26 Nov 2019 17:11:50 +0100
Message-ID: <A7F945D0-C227-462C-9505-159EBA78B979@gmail.com>
References: <CAAupm8h5Aa4EmnGnHX1iVgcQTCpmW-3yD4e6m7aouZFiSCtGrA@mail.gmail.com>
Cc: internals@lists.php.net
In-Reply-To: <CAAupm8h5Aa4EmnGnHX1iVgcQTCpmW-3yD4e6m7aouZFiSCtGrA@mail.gmail.com>
To: Ian Littman <iansltx@gmail.com>
X-Mailer: iPhone Mail (17B102)
X-Envelope-From: <benjamin.morel@gmail.com>
Subject: Re: [PHP-DEV] Let's allow eval() to be turned off in PHP 8
From: benjamin.morel@gmail.com (Benjamin Morel)

--Apple-Mail-2CC6A52C-DF2A-4E7E-99BD-F548F3466670
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Ian,

IMO, eval() is secure, as long as:

- you=E2=80=99re not using it, or
- you=E2=80=99re using it properly

I=E2=80=99d say that as soon as your server has been compromised, eval() is t=
he last of your worries, as pretty much anything becomes possible, including=
 writing PHP code to a file and including/executing it. So I feel like disab=
ling eval() will just make =C2=AB hackers =C2=BB have a good laugh.

Regarding (arguably) legitimate use cases that would suffer from eval() bein=
g disabled, is a Schema.org parser library I wrote, that dynamically creates=
 objects that implement arbitrary interfaces:

https://github.com/brick/schema/blob/master/src/ObjectFactory.php

IMHO, disabling eval() would not increase the security of PHP, and could be a=
nnoying for libraries relying (sparingly) on it, for lack of anything better=
.

Best,
Benjamin

> Le 26 nov. 2019 =C3=A0 16:52, Ian Littman <iansltx@gmail.com> a =C3=A9crit=
 :
>=20
> =EF=BB=BFHi all,
>=20
> Let's just say that eval() and create_function() are the cornerstone of
> PHP-based exploit toolkits. Yes, if the hackers get in there are other
> problems with your codebase, but as a defense in depth measure most
> applications need neither create_function() nor the eval() language
> construct, so they might as well be disabled.
>=20
> create_function() is easy enough to drop with a didabled_functions ini
> directive, and is going away "no later than PHP 8.0", per its deprecation
> notice as of 7.2. eval() on the other hand can't be disabled that way, as
> it's not actually a function. So this seems like an excellent candidate fo=
r
> another ini setting, as from a security standpoint you *want* this change
> to be global. Yes, if every shared host turned this on by default, old cod=
e
> would break. But I Suhosin allows doing this anyway (
> https://stackoverflow.com/questions/25037015/suhosin-and-disable-eval) so
> it's not like the option hasn't been available...though it's been over fou=
r
> years since we've had a stable release of Suhosin.
>=20
> Similar to disable_functions, if the ini setting turning off eval() got
> set, you shouldn't be able to override it via ini_set() in code. We can us=
e
> a similar warning to the display_disabled_function one here.
>=20
> One alternative to adding an entirely new INI setting would be to allow
> disabled_functions to work on eval. That means that somewhere in the INI
> parsing/stubbing/warning process (and maybe all three places) will get a
> bit more complex, but that would have the benefit of not having to explain=

> to anyone editing the ini file that eval() is a language construct rather
> than a function and thus can't be disabled the normal way (I was just
> apprised of this mistake last today).
>=20
> =46rom taking a quick look at Suhosin code, the way they're handling this m=
ay
> be somewhat informative for creating a patch directly to core, but as a
> bolt-on it looks like they can't be as efficient, so any patch to core
> would be inspired by, rather than a copy of, how that extension's
> eval-handling is built.
>=20
> I feel strongly enough about this to help with the text side of the RFC,
> and maybe even dive into php-src to assist with a patch, though I have
> neither karma for posting the former nor enough C acumen to do the latter
> all by myself. But I want to make sure I won't get immediately shot down i=
f
> I try going down that road...and if other folks like the idea, I could use=

> some help here putting it together.
>=20
> What do y'all think about getting this into PHP 8?
>=20
> Thanks in advance,
>=20
> Ian Littman

--Apple-Mail-2CC6A52C-DF2A-4E7E-99BD-F548F3466670--