Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:107868
Return-Path: <iansltx@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 22369 invoked from network); 27 Nov 2019 00:00:17 -0000
Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12)
  by pb1.pair.com with SMTP; 27 Nov 2019 00:00:17 -0000
Received: from php-smtp3.php.net (localhost [127.0.0.1])
	by php-smtp3.php.net (Postfix) with ESMTP id 5288C2C6CD1
	for <internals@lists.php.net>; Tue, 26 Nov 2019 13:55:02 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS3215 2.6.0.0/16
X-Spam-Virus: Error (Cannot connect to unix socket
	'/var/run/clamav/clamd.ctl': connect: Connection refused)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp3.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 26 Nov 2019 13:55:01 -0800 (PST)
Received: by mail-vs1-xe36.google.com with SMTP id p6so8679026vsj.11
        for <internals@lists.php.net>; Tue, 26 Nov 2019 13:55:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=LVVGpurLx1sT9qafqyKXA6JOdmY2o0SEAOXa9lGJRrk=;
        b=YmLnscUoxLoXnOzkNl4nOpPcigBcycZFgoH2rXLS/UDHAbJeHstItbeBD2jHfnuWUO
         2Tiz1yyLSyyA0s51Ro7oDrxuGLbrWGld8wEK0Fr2fs58n03rxq7n/ubicxQ0zcwIRYiZ
         QGI+gemte19iwzRbZXIdgEjNCHKHFlSfNB+i1zhBxGSq29lTSb9e22LrtvPF6uD0wbxd
         VaxPp0qs9IuxmCgSVbWDgR+o8OmnZC85ENNnsssd/cctsLflb1hwdQJUvBZn+yEb7FuL
         CCcbpXpAv1J0b0oPCZAPWOpGPnraMqpFGOnSYeI3qX77ciysatFrt3QkvwnqU6Ctdu3z
         YeKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=LVVGpurLx1sT9qafqyKXA6JOdmY2o0SEAOXa9lGJRrk=;
        b=ErKm7Z5kPcxOmTCoGOhhshbQCuRCeeXxFCB6QxuUEySJNwuLxodtsQ9Ep4RByVY0vp
         TsR5C4q3sI5PLoxA9YkWSSmjn8jVO317522oDfQ9Bf591hKzaAtVHQfvAS50pzj3i2l0
         MX1khXnHPHyOjBfPhFhl1sjajHjC8Q50jisrBR9Q/XjUz6fLWitvti1KQRgaO4hQyV5F
         j8nONH940ARZq8OEjwOUAcCES7TPK7scfPYCrsw7jtLHgE3nL1q7b8Y2Nrw4j0oPIgB5
         JjBLcYHLtbgTZoI43tMwmMxYx/PNb3MlM8N4fqRFsmQb4D7j4fgo5uZr3KgEZwkQLRVi
         oFQw==
X-Gm-Message-State: APjAAAUcqPSFmGhPxS1IxSQcXO4Mc8WxyoCDdMQ9BRlAvtfMfbcdpZ3n
	7PclVGI0OpXSuKAZlyOzzJ8AU/vdfKibFW4NJVk=
X-Google-Smtp-Source: APXvYqzaVDDZb2pYB7qOALElKb1AqQ5iY/AQUHigJFBCE8WToUJW0EjxmIIzoYGMgBPc8Kjk+e8CS5uHyaYsOLanmj8=
X-Received: by 2002:a05:6102:3d4:: with SMTP id n20mr23345601vsq.21.1574805300773;
 Tue, 26 Nov 2019 13:55:00 -0800 (PST)
MIME-Version: 1.0
References: <CAAupm8h5Aa4EmnGnHX1iVgcQTCpmW-3yD4e6m7aouZFiSCtGrA@mail.gmail.com>
 <A7F945D0-C227-462C-9505-159EBA78B979@gmail.com> <CAAupm8j7TZHq7eD2UdbvgEGSsZ46M3gmLakMPZ7W-3qnq5=KBA@mail.gmail.com>
 <F8234340-2D99-4F65-A8BA-8D208A2C98DE@newclarity.net>
In-Reply-To: <F8234340-2D99-4F65-A8BA-8D208A2C98DE@newclarity.net>
Date: Tue, 26 Nov 2019 15:54:49 -0600
Message-ID: <CAAupm8gsUbAPNgXTFGqaL-qjOqZwxBM0zx8UMzUXKBC4hb7bzQ@mail.gmail.com>
To: Mike Schinkel <mike@newclarity.net>
Cc: PHP internals <internals@lists.php.net>, Benjamin Morel <benjamin.morel@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008b08a6059846ee2a"
X-Envelope-From: <iansltx@gmail.com>
Subject: Re: [PHP-DEV] Let's allow eval() to be turned off in PHP 8
From: iansltx@gmail.com (Ian Littman)

--0000000000008b08a6059846ee2a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

create_function() will be gone as of PHP 8 anyway. For eval(), e.g. psysh
uses it (and, as a result, e.g. Laravel Tinker). So defaulting eval to
disabled doesn't seem tenable. Not what I'm asking anyway...I just want the
*ability* to turn it off (likely only in apache/fpm configs actually,
leaving it on for the CLI).

On Tue, Nov 26, 2019 at 3:44 PM Mike Schinkel <mike@newclarity.net> wrote:

> On Nov 26, 2019, at 11:27 AM, Ian Littman <iansltx@gmail.com> wrote:
>
>
> You're right that turning off eval() isn't a silver bullet, and if you ca=
n
> get external code running on someone's box there are a lot worse things y=
ou
> can do.
>
> On Tue, Nov 26, 2019 at 10:11 AM Benjamin Morel <benjamin.morel@gmail.com=
>
> wrote:
>
> Hi Ian,
>
> IMO, eval() is secure, as long as:
>
> - you=E2=80=99re not using it, or
> - you=E2=80=99re using it properly
>
> I=E2=80=99d say that as soon as your server has been compromised, eval() =
is the
> last of your worries, as pretty much anything becomes possible, including
> writing PHP code to a file and including/executing it. So I feel like
> disabling eval() will just make =C2=AB hackers =C2=BB have a good laugh
>
>
>
> There *might* be a good argument for turning it eval() and
> create_function() off by default for command-line use?
>
> #jmtcw
>
> -Mike
>
>

--0000000000008b08a6059846ee2a--