Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:107866 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 89824 invoked from network); 26 Nov 2019 21:07:00 -0000 Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12) by pb1.pair.com with SMTP; 26 Nov 2019 21:07:00 -0000 Received: from php-smtp3.php.net (localhost [127.0.0.1]) by php-smtp3.php.net (Postfix) with ESMTP id 68B072D201B for ; Tue, 26 Nov 2019 11:01:43 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) Received: from mail-vs1-xe2f.google.com (mail-vs1-xe2f.google.com [IPv6:2607:f8b0:4864:20::e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp3.php.net (Postfix) with ESMTPS for ; Tue, 26 Nov 2019 11:01:43 -0800 (PST) Received: by mail-vs1-xe2f.google.com with SMTP id 190so13527935vss.8 for ; Tue, 26 Nov 2019 11:01:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RZ/DfeaXU078I4XNkVAS4h7pMiY3gflkonzjy2y7MwY=; b=dP6JeMil5LlrRmz15oVE+98khTyOnoCCMK+5cE3gMmZ8tq+3SfwTHpxujk1w4J3LLp dOTwFOSguMRXL6R1axYeoEc8ALeKn3XyN08SVlVStPzXmku7nFXNHF47wjlnarTyueNY 83d0XeXCwsqnp7Z0feNniEdsiDQbLP8GoSezXxeFSN8uI1uVpCk65C0qK0KM3wlYi5Wh Z2gB2KLuafm4N9CvMLzWXkbCc8au8ay/2OlAAFNLyi9NtflOfzx7s/Tzlxmi0XTFsTad 7tPqeJySWy7hyA/FrHpFTQ/HrMh2DxrexnaPAAyhKdSJ5Mnxj7V06txXeDJwBKEu5Xun jEOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RZ/DfeaXU078I4XNkVAS4h7pMiY3gflkonzjy2y7MwY=; b=h3Z0GWE6HonyJdU9nmXGEcB+RFMd0nCMhO4BHp7L1czZRU3u9j0tIxkAL7MQOAprq1 lPt+BixgcQaoOUa6SotfiBcj0YLWyu7ZIr8PvfHZ1PLL3kC06Z4pR/8iWKOM9eT6dlvi R5N3/lKfeTUcF6xhZZxwbdVkl6B6HfBNWt//GXxdwqR3nkAV6Z8GimGw0R43mRyVq32q 64n3+aG3vBlP8XlryehRuPOuvdQrC+PYmqxQlZSZzVrko28OTpPADHWKVJHnd0vt96OB SuQaoaolyA9yt2UKxwg0GmA++5mc940bj4Gua6t8T5JXbQRzNIfxpURYnm1/2Bl9BXFL 0kzQ== X-Gm-Message-State: APjAAAWCN+ggAHCrupOtlF9ZO/tyoiH8tbxD9tu2R1VQ78p+v4UjQ0dn U/ceJCs9b35ASq8DTS6Oai+mTPkPmQthEzpnBV4= X-Google-Smtp-Source: APXvYqyUmsJouWn1m6V40ckyGZ/jm/0GYT0N7YJo02Plu54Lyy44ct8O1SgFbuPNGv2Pi4LkxGBKx3fbd2Y+30yw7a4= X-Received: by 2002:a05:6102:3d4:: with SMTP id n20mr22857625vsq.21.1574794902208; Tue, 26 Nov 2019 11:01:42 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 26 Nov 2019 13:01:30 -0600 Message-ID: To: Guilliam Xavier Cc: Benjamin Morel , internals@lists.php.net Content-Type: multipart/alternative; boundary="000000000000bd89780598448200" X-Envelope-From: Subject: Re: [PHP-DEV] Let's allow eval() to be turned off in PHP 8 From: iansltx@gmail.com (Ian Littman) --000000000000bd89780598448200 Content-Type: text/plain; charset="UTF-8" Thanks for the reference. For convenience, here's the PR that contains a bit more context: https://github.com/php/php-src/pull/4084 Definitely don't want to screw up Xdebug, so this would require a more nuanced approach (see also: why I don't want to just try to create a patch). Again, this doesn't solve attack vectors where attackers can write to the FS and then include from it. But it does close one-step "read from this URL, base64-decode, and eval the result" approaches. One less tool in the hacker toolbox for "cleanly" executing arbitrary code is all I'm looking for here. Ian On Tue, Nov 26, 2019 at 12:45 PM Guilliam Xavier wrote: > For the record, a few months ago, > https://github.com/php/php-src/pull/4084 (extending > `disable_functions` to handle `eval`) was first merged but finally > reverted (requested by Xdebug), and the feature request > https://bugs.php.net/bug.php?id=62397 was closed (with an > explanation). > > -- > Guilliam Xavier > --000000000000bd89780598448200--