Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:107870 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 29347 invoked from network); 27 Nov 2019 00:34:57 -0000 Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12) by pb1.pair.com with SMTP; 27 Nov 2019 00:34:57 -0000 Received: from php-smtp3.php.net (localhost [127.0.0.1]) by php-smtp3.php.net (Postfix) with ESMTP id 96BFD2D2052 for ; Tue, 26 Nov 2019 14:29:41 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp3.php.net (Postfix) with ESMTPS for ; Tue, 26 Nov 2019 14:29:41 -0800 (PST) Received: by mail-pg1-x52c.google.com with SMTP id 6so5184673pgk.0 for ; Tue, 26 Nov 2019 14:29:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=ip9kSeZKaJpJCr15NEGdHtN1lYY0tDGyN1n7PJK2Crc=; b=QnmnkJxMYEfpPm4tzcRrpQZwr2dVoF/Mnd1qKersZx1nI2aZPEhGHPKNYp7i4nreNn 1G//POoVsoppoAK3frJGEawvK5m4tZwP8jlmsVVfMmbtCkmG0W72y8At0fxqsImxz9zu O1BFNf3Ss3RGZ5AuopsSaC9CJGaCuUCAZJl8D+VyeU+1NezeuazpEYqtdkwwKygjQO8n WuDxh7suSfKqzES1h5Il17fQNbRQWU9dsFOFmye3Ne2cQz4G6+CxjWdsd6N818c/aJ6u CwfzNwpoXaxwGwx6QWQlnqD/f6WsNBXjJVxq4pQFLx+aTIcT0U94E9Zwn/oBIwJj9wyh mOJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=ip9kSeZKaJpJCr15NEGdHtN1lYY0tDGyN1n7PJK2Crc=; b=d0pjGVzUNdMOancg0K1wbSMh6FTQ6ztG7tW+f4hlzsvFHaM/bqmS54uCyb9MshrNgM 5w73kBQzTMGsclGTbKvUUlzx9pazZrnB+7eRoCwUP6tiB6newophB7/QrYZ0Ipd+XfGr 4g1zxX1XMs92SU0SNph3hQdVNyH8v7haBxvSc/JdYO4oiULw4hGiN4JRrN4ECOoCjb7j bBdYdKxy3Sqn8claIBHcdZ6iPI2m6syn2j7eaocS23W/Svv1LjPizWmcZ4N2pFuXwdhW 8rRrRLh8o9tsT1Fo2uhKuLUl4uNQXjU/kd72jeVeKu69Ti0NCrmtoSScrpyNZ8nNWHPb H/uQ== X-Gm-Message-State: APjAAAW1eGQYqtM6TJU5OmVePfW5YIRBlIEcSSlwlNY4RvpKBnaS76V0 Vmw8tdMC9IObDpPoG2yEjkDUKdRj2Q== X-Google-Smtp-Source: APXvYqwXBCMN+Wedqr7hTGvOJ8Ob2gA4LkrdYKZw1Pg9jXWk8hc5NXrbx8NjMIRYdqGYhgOagtEhZw== X-Received: by 2002:a63:6a47:: with SMTP id f68mr989566pgc.35.1574807379343; Tue, 26 Nov 2019 14:29:39 -0800 (PST) Received: from Stas-Mac.local (ec2-34-209-88-149.us-west-2.compute.amazonaws.com. [34.209.88.149]) by smtp.gmail.com with ESMTPSA id y4sm13914722pgy.27.2019.11.26.14.29.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Nov 2019 14:29:38 -0800 (PST) To: Ian Littman Cc: internals@lists.php.net References: Autocrypt: addr=smalyshev@gmail.com; prefer-encrypt=mutual; keydata= xsJuBE9mqaARCACFSqcGmNunkjQQu3X+yXnTmFeEkvM4JXZTOBdR8aEevNGmmFEfyvjaDjWi 9hcwp4E/lYtC+P7VsVjM1OSX9eq0jC/lGL0ZyRXek+mNy0n5H1NSuTpf9Y18LMqhc4G+RU+L cNiZ9K0DJuOOvNLPxW7OHZguxb3wdKPXNVa2jyRfJAKm2uaJJMT1mTmFT9a0Q8SKr+mUrrJk uG0H2o6SzrKt8Wwoint1eh67zVsJaJtQFchnEZnlawIcqP2yC4nLGR3MkubowxoEBYCZet18 aHVVRbvpG2Qtob8Lu5xrsGbmXymTkHTdpvkfcJFADa8MzOL90zOxXwbGfbIZOlh5En8jAQCX lfnx2eQL3BSW/6XANa51dbWiEp1d1BAkpGKtZvlk0Qf+M9WAi+9aXMe3xP5krxtgnRNUf2WN 6Zdy2MxL1RRJCFbytLhl0ronC49BsGYVGshdEH8xhBbiIOJKuVZ/DTl9bEm7P9c7CC7iJyVC khUAhouH6xzZQNLR+RU+QebYzXypVfl99Qk7EdMmr/WAZCHLuvanyqepC5EBsa3VnAfQemSN oBeGBKWWLiOsPjvS72+y1z4RUMAfXHn4l/sFMt8zt7/74AmJPwZquV41p4mPO12V4+xPyc6R sB84sfsk2QVivU8w8AkvGQeYjXoz7Iwao95+fWteVzZ36KRQvUckP8pGjHlDXnHxJ0HI1I/k OBZSjwRwUf0dd73y6erPhbLk+gf+NdI3H9KGJBzG5/rVyWKwUeQ9d5ud4jTJRkQGvAP5pg76 vEa9dogbpe4W5Z+0BfbiJSnQmQWSHiZddj/t33ptbup44Ck6ZTgdlmFYMLF1hR47PIZTDKER EuKYGci/vq8snZvEJP9YCw/TtiHcMdrMKcY/+Lp8lQO0GHLPB9glVhnC0db6l1Xpg1CMI8/R ozBMcij30EgATggC/y2zbiqAFoS9FN9nXPbe4phStqABEyeZ+nXudt7PUYTjVgcrqo8bHZCi sBobWC7OnKyUzxVxzUeuPkIfmZuzkLaMw2McQdvwwsNvQ0DzaLP30c1Xsm/7EIYJcOWpzlVJ 5QrdmE0/Bc0yU3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QGdtYWls LmNvbT7CegQTEQgAIgUCT2aqtAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lW vF2gS12XMwD9HuRIolSwIK77u8EY461y2u6sbX36n5/uo/LDQuxoi3sA/0MvpnvzOhv9Iufv vsZEj3E7i3h+iD5648YMwfTFCij+zsFNBE9mqaAQCADfZPMpjZkkGZj3BY/7ApoLq4mwqzbh +CpLXwNn20tFNvSXfb8RdeXvVEb7Scx+W9qYpiaun2iXJgCVH8fgpZpR856ulT1q6uCG++CX ubEvip/eJkZl93/84h04KQJwsgOrAh0Om3OePRn8Pr+++0LNS0EL8uX/YHeTOGOnnmTqYTey SBVFdov6L4mepddfjekicKQqhL7mZh/xuq29JijT0uNNX8v4vDWQDu5dlAcdd+uB3gcXMD/P ginD11zp+6wtrWCm/+yBqpvDwXQX5PGUnwvbRfl7Ay3MmwmoXiecZMg0dwTSc7e0lhB4HGRH ZdBMJB4rHUVGdzqujK/ctOvrAAMFB/0Utb76Qe6sCMlHxVAmeE/fbo7Pi05btZ/x01r67dHf aMSP0riCKJ7M0OW+jAXtu9+z/BVnYisW67WWfxl2cS5tZDgiHgJARXWUOO72+sScHP8KQmTl 1z16gyKbwY3SmyBkwcpOL35nhUWNLy93syPoY6sZUTikr2bZYukHDQ33XBPs4e6MbWKfsa9q aVmnlOF3k5UqChjutfHaEa4Q7VP4wBIpphHBi9MI16oJIzzBPbGl2uoedjwiZ6QeQZnSuOVY ZxU2d3lRA8PrtfFN1VSlpEm/VcAvtieHUYWHN0wOu+cp3Slr5XJVNjTjJhl28SlinMME54mK AGf2Ldr/dRwXwmEEGBEIAAkFAk9mqaACGwwACgkQL3lWvF2gS126EQD/VVd3FgjLKglClRQP zdfU847tqDK4zJjbmRv5vLLwoE0A+wbrQs7jVGU3NrS0AIl5vUmewpp2BKzSkepy23nWmejw Message-ID: <16d6d6a0-7989-28f9-51d2-c4be1d4d96c9@gmail.com> Date: Tue, 26 Nov 2019 14:29:37 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Envelope-From: Subject: Re: [PHP-DEV] Let's allow eval() to be turned off in PHP 8 From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > You're right that turning off eval() isn't a silver bullet, and if you can > get external code running on someone's box there are a lot worse things you > can do. I think the important point here is not that you can do worse things than eval() but that you can do *anything*. Once you can execute code on remote side, there's no security barriers PHP can provide for you. If PHP engine were coded as an execution engine for hostile code that guarantees security against untrusted code (like, for example, VM supervisors) then it'd be different, but I don't think PHP engine ever provided that guarantee. And with that, I think banning eval() is just provides false sense of security. -- Stas Malyshev smalyshev@gmail.com