Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:107864 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 62778 invoked from network); 26 Nov 2019 18:32:41 -0000 Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12) by pb1.pair.com with SMTP; 26 Nov 2019 18:32:41 -0000 Received: from php-smtp3.php.net (localhost [127.0.0.1]) by php-smtp3.php.net (Postfix) with ESMTP id 78C6F2CEF8C for ; Tue, 26 Nov 2019 08:27:22 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) Received: from mail-ua1-x943.google.com (mail-ua1-x943.google.com [IPv6:2607:f8b0:4864:20::943]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp3.php.net (Postfix) with ESMTPS for ; Tue, 26 Nov 2019 08:27:21 -0800 (PST) Received: by mail-ua1-x943.google.com with SMTP id s14so5877970uad.2 for ; Tue, 26 Nov 2019 08:27:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=t402wqa3c380uXjGDe2MDXMNav+NEAQNDSrG2jM9Gu8=; b=WjZF1xVwVcNF7N8t9Kzwp3w/dBD/uVr45CMIeTtvnFuj07DiBuM99jeZnnuTZlN0f7 V5l5808S9LjUs1TgOOkhT0+fXSGZH+EJxGDgko/Pcs3X4BkX5/38qgGktFcp3sQePOg/ HEGyqy6EGhOxLQXrI+82ZUxHsPPMY2DCPyNa9hOIPK73eZPIhS1bKns/fptifnpW7uYY /qkV9c6Ol54qLrh0mK4M6TV8nL5xHNZpogBP0IuTkt1QIvNuf2xH1BiX79iaJ1ip0ZZL iGqdwue8eJM/6fdWAvOvqgUDmwb7UohKLYBNEZjb5InpQaFVCkeDcR/Pu+PRWJK6QqUb bcpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=t402wqa3c380uXjGDe2MDXMNav+NEAQNDSrG2jM9Gu8=; b=JhZPrjk9iWEqwOVgbRAv5Znqyh8YZCfQgBTmvRegMOWzdFqtJt4ZY7Y14tU1tXvySm 1yvA0PEWzciffl+IOT+0dOFuJfQCoBSXqeK07hs0a3egEk7L0jrOA3YZNTBv0TWywMJ7 FjmZDHYuq9gXxPdRxN8akjoRdX7layxUEDWSkpysHh9x043KNmx3UtV1fGTbIngbfsbO zKJHHPdXjUglVqKEMzLKrWDsv05EE3CNQfM5qQEJNMdZ6c1hZ9paZztDdbuuaEL2VLU1 UeUHVokgA7syp0DLAFWl0AdwjYRaKG//QP611lrMgOkm+eLx6uI8HCnTnx/70bfwxD+e 04Sg== X-Gm-Message-State: APjAAAX8BDKOKF0yZ459+r+HEZIMzp/QHCx4y7xvUac8cCpmaCj9Dyb8 ozKWbiLmxeDJNky3MD+3pQNDwkcDQYyEMvBFvQU= X-Google-Smtp-Source: APXvYqyfAb474JiMfyLmoDQHjpRZaH9jV6ZjDYBgQKjcmMo6d4U9kMb9DosvnyvNqJ9cbGHa1zC74shvJ7L62uJPGdk= X-Received: by 2002:a9f:2304:: with SMTP id 4mr23255388uae.69.1574785640926; Tue, 26 Nov 2019 08:27:20 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 26 Nov 2019 10:27:09 -0600 Message-ID: To: Benjamin Morel Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary="000000000000b99e130598425a1e" X-Envelope-From: Subject: Re: [PHP-DEV] Let's allow eval() to be turned off in PHP 8 From: iansltx@gmail.com (Ian Littman) --000000000000b99e130598425a1e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable You're right that turning off eval() isn't a silver bullet, and if you can get external code running on someone's box there are a lot worse things you can do. That said, if eval() and create_function() fail, the exploit samples that I've recently come in contact with stop working, and it becomes more difficult to obfuscate said code when you can't string-concatenate your way into a script. Yes, I could rewrite those kits to do similar stuff, provided I have the ability to write to somewhere on disk that can then be executed as PHP. But injecting a BC break like this for malware, means a temporary respite while scripts get rewritten (*if* they get rewritten; I was seeing mysql_* calls in these samples) at the very least, and probably less-obfuscated malware to boot. Again, I'm asking about an opt-in option here, just like disabled_functions (and, again, this isn't a new concept, see Suhosin). Responsibility for the tradeoff between flexibility/functionality and security still lies with whoever's building the environment to run the code. This is just giving another tool in the toolbox, on top of things like ensuring all executable paths are read-only at runtime. Ian On Tue, Nov 26, 2019 at 10:11 AM Benjamin Morel wrote: > Hi Ian, > > IMO, eval() is secure, as long as: > > - you=E2=80=99re not using it, or > - you=E2=80=99re using it properly > > I=E2=80=99d say that as soon as your server has been compromised, eval() = is the > last of your worries, as pretty much anything becomes possible, including > writing PHP code to a file and including/executing it. So I feel like > disabling eval() will just make =C2=AB hackers =C2=BB have a good laugh. > > Regarding (arguably) legitimate use cases that would suffer from eval() > being disabled, is a Schema.org parser library I wrote, that dynamically > creates objects that implement arbitrary interfaces: > > https://github.com/brick/schema/blob/master/src/ObjectFactory.php > > IMHO, disabling eval() would not increase the security of PHP, and could > be annoying for libraries relying (sparingly) on it, for lack of anything > better. > > Best, > Benjamin > > Le 26 nov. 2019 =C3=A0 16:52, Ian Littman a =C3=A9cri= t : > > =EF=BB=BFHi all, > > Let's just say that eval() and create_function() are the cornerstone of > PHP-based exploit toolkits. Yes, if the hackers get in there are other > problems with your codebase, but as a defense in depth measure most > applications need neither create_function() nor the eval() language > construct, so they might as well be disabled. > > create_function() is easy enough to drop with a didabled_functions ini > directive, and is going away "no later than PHP 8.0", per its deprecation > notice as of 7.2. eval() on the other hand can't be disabled that way, as > it's not actually a function. So this seems like an excellent candidate f= or > another ini setting, as from a security standpoint you *want* this change > to be global. Yes, if every shared host turned this on by default, old co= de > would break. But I Suhosin allows doing this anyway ( > https://stackoverflow.com/questions/25037015/suhosin-and-disable-eval) so > it's not like the option hasn't been available...though it's been over fo= ur > years since we've had a stable release of Suhosin. > > Similar to disable_functions, if the ini setting turning off eval() got > set, you shouldn't be able to override it via ini_set() in code. We can u= se > a similar warning to the display_disabled_function one here. > > One alternative to adding an entirely new INI setting would be to allow > disabled_functions to work on eval. That means that somewhere in the INI > parsing/stubbing/warning process (and maybe all three places) will get a > bit more complex, but that would have the benefit of not having to explai= n > to anyone editing the ini file that eval() is a language construct rather > than a function and thus can't be disabled the normal way (I was just > apprised of this mistake last today). > > From taking a quick look at Suhosin code, the way they're handling this m= ay > be somewhat informative for creating a patch directly to core, but as a > bolt-on it looks like they can't be as efficient, so any patch to core > would be inspired by, rather than a copy of, how that extension's > eval-handling is built. > > I feel strongly enough about this to help with the text side of the RFC, > and maybe even dive into php-src to assist with a patch, though I have > neither karma for posting the former nor enough C acumen to do the latter > all by myself. But I want to make sure I won't get immediately shot down = if > I try going down that road...and if other folks like the idea, I could us= e > some help here putting it together. > > What do y'all think about getting this into PHP 8? > > Thanks in advance, > > Ian Littman > > --000000000000b99e130598425a1e--