Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:107867 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 19591 invoked from network); 26 Nov 2019 23:49:33 -0000 Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12) by pb1.pair.com with SMTP; 26 Nov 2019 23:49:33 -0000 Received: from php-smtp3.php.net (localhost [127.0.0.1]) by php-smtp3.php.net (Postfix) with ESMTP id D982F2D2088 for ; Tue, 26 Nov 2019 13:44:18 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) Received: from mail-yw1-xc2d.google.com (mail-yw1-xc2d.google.com [IPv6:2607:f8b0:4864:20::c2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp3.php.net (Postfix) with ESMTPS for ; Tue, 26 Nov 2019 13:44:18 -0800 (PST) Received: by mail-yw1-xc2d.google.com with SMTP id r131so7553329ywh.2 for ; Tue, 26 Nov 2019 13:44:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=E+qQOdTv/tXp953+mxS1smR/tEzvmQAZnR1T/jXWsds=; b=t0KbgQ+gfM9h+8lAMov3HprerjkTygB6V3TP4BIQWf8EEy3oTTSNoxFzWleScL9DLB 821IyTzwkBmb9XP+n0A2tIiaHh11RrSNFfzIRFBqLnHugK7h+Lh+3UekqSqGzpzAQKjV gsRlSjuk4lQXHGZ9F4x0/U6vY+DhTYAQyGj0u8fkdj6S065QhK1vNOP0ZM241Uw5+I2Z RFeai7mFhphnA62WlDA05QtJNv6Ou3BZZUCUKQUq9uqrWrNbH98VzAz30DLN7HHbXc/f fPN4+DIvBV4aO/1TL/ZdLmcjdOQ1H6VAGNJT1vZRv+LAZtu401KJ4ex4OiC/pHxNRh2A +4Gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=E+qQOdTv/tXp953+mxS1smR/tEzvmQAZnR1T/jXWsds=; b=N2d/gxC1gy3chJBPwzlnoEen4+ngSck00LvKEBiWCmuOcTMD0jFyHNvhDgNeemEzQp 3WDuvjAPcQkpsfdPC7qVuwIryn0aUJ9Qk2j1c3+mBc8n7cDCF8b75Q6bVe2Fx9qPbAbs JaEqX+FIQD0GkNudwGGHEh767apcJJZOdvrJ6//vtps53cTzR+kM/cFJA7VVi1oGbe1I PB1ZmPEQFvMRCEUqMMrxFTSzOB+oHbdI98+rzhOg7hOazeyH2hFrs9HBOvbN/KkLZEtR hyQF5FldvoNQkSWTk0EmW00210a+r5mrIoyJ+hu/cPNujIoqH/JwyO6ir9nEI4j2sdzz 4KGw== X-Gm-Message-State: APjAAAV8CNktYcQSHxggiWdmG1XT6jpmZRBtWY3KwWCKtvqNJjwGUZ0j EU5+5+AEYVxVjmcrCkzbzFCmzmBmAVb4gA== X-Google-Smtp-Source: APXvYqwB8ouCbAUrLAVlS2uPCb8nElNNwXJFmJRIaEkVRwS/X2sstehNEVXm2SeXgMgVSvf7DJd3SQ== X-Received: by 2002:a81:6746:: with SMTP id b67mr573151ywc.352.1574804657663; Tue, 26 Nov 2019 13:44:17 -0800 (PST) Received: from ?IPv6:2601:c0:c680:5cc0:cc52:afc1:1f8e:d299? ([2601:c0:c680:5cc0:cc52:afc1:1f8e:d299]) by smtp.gmail.com with ESMTPSA id n128sm5839626ywc.99.2019.11.26.13.44.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Nov 2019 13:44:16 -0800 (PST) Message-ID: Content-Type: multipart/alternative; boundary="Apple-Mail=_8A601184-2F47-4955-9965-A64C0E0AA126" Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Date: Tue, 26 Nov 2019 16:44:15 -0500 In-Reply-To: Cc: Benjamin Morel To: Ian Littman , PHP internals References: X-Mailer: Apple Mail (2.3445.104.11) X-Envelope-From: Subject: Re: [PHP-DEV] Let's allow eval() to be turned off in PHP 8 From: mike@newclarity.net (Mike Schinkel) --Apple-Mail=_8A601184-2F47-4955-9965-A64C0E0AA126 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Nov 26, 2019, at 11:27 AM, Ian Littman wrote: >=20 > You're right that turning off eval() isn't a silver bullet, and if you = can > get external code running on someone's box there are a lot worse = things you > can do. >=20 > On Tue, Nov 26, 2019 at 10:11 AM Benjamin Morel = > wrote: >=20 >> Hi Ian, >>=20 >> IMO, eval() is secure, as long as: >>=20 >> - you=E2=80=99re not using it, or >> - you=E2=80=99re using it properly >>=20 >> I=E2=80=99d say that as soon as your server has been compromised, = eval() is the >> last of your worries, as pretty much anything becomes possible, = including >> writing PHP code to a file and including/executing it. So I feel like >> disabling eval() will just make =C2=AB hackers =C2=BB have a good = laugh There might be a good argument for turning it eval() and = create_function() off by default for command-line use? #jmtcw -Mike --Apple-Mail=_8A601184-2F47-4955-9965-A64C0E0AA126--