Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:107871 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 32541 invoked from network); 27 Nov 2019 00:49:51 -0000 Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12) by pb1.pair.com with SMTP; 27 Nov 2019 00:49:51 -0000 Received: from php-smtp3.php.net (localhost [127.0.0.1]) by php-smtp3.php.net (Postfix) with ESMTP id A3F1E2D201A for ; Tue, 26 Nov 2019 14:44:36 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,FREEMAIL_REPLY,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp3.php.net (Postfix) with ESMTPS for ; Tue, 26 Nov 2019 14:44:36 -0800 (PST) Received: by mail-ua1-x935.google.com with SMTP id z9so6296375uan.3 for ; Tue, 26 Nov 2019 14:44:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vw0RoyGihrgQq2q42yPrQ98//jWTXwhGQrVIe6PLMzc=; b=i0I5r8hxGqs1k4upQOvY8UAnh06A6pSYhLmFx/pP0aMYMC0AQE+8hNpWF+zeOsEg+c rlwl/fGWx44xp9+iy8+/CdSct34iIRhb2A3wvRkLjOE+/Fznshs2p+Xg10OWVutl1qhQ ZekFAefVeQt3XCc0wnu70etqoeQbJ0zobKMto14WcfKuKZtYoVwhfbUVtAVNrUdlP0fk URM0BNaKRigFVYSxflhk4IDBQjFuxOlCDaLGstWGJuzULY4wZs/YGF/Pd9tS0s1IO70d qOeIYqmoR45pP+gCtQsaZLScnNK9ae1VAS+Z2NEC1Wl2gut8YIsl904pWIgwQCBoESSM iDOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vw0RoyGihrgQq2q42yPrQ98//jWTXwhGQrVIe6PLMzc=; b=PRLX9TDhT3J9u3CAEloyqmJKO3+q2ygc+JDlX8GloHB8xU7saIZ0BCSzuA5RoNYMv9 mPQ8ZRoYFTq0ETpvVQU0IbGsgxjazVKHqBkoKwLdSlG73LZ7hmnUuOKsiJ5kgIXNfxxe FfOJc/lcxKA/w5TWZNrzawOTgex9hovDiBOSZu1pTI/F4harwhNMGXBRViKNBTVTQNjZ F6oFM1DvvPXGcNqUVcWEtfBVAO6urD7VeoKKp3BcSTSQts+M+wkx8mmiJVPl8XVtMHTn gE0PGjdZmaftDUtJg2DQ8CFyMjZOUV5ClpKmnO2Cta4ZDkoh8tsMnIU9DpMqTE6JBj6h 9HTQ== X-Gm-Message-State: APjAAAXRBsxDVadmCs+oZhp29Iz9M0R3T1aU9gp2s9c5Xg3kdc3OU67b IqW2WsoG9pvqc3mHD1HsyIriNSygw6+BPa0i0Xo= X-Google-Smtp-Source: APXvYqytEKlSVWCGbOoSoDrYqiI9jLQAol4I5kqWf4OjPg1a59k0il+yWwfY285s11oyf+PqL9jsw3IZpL1aeSospWY= X-Received: by 2002:ab0:608f:: with SMTP id i15mr729944ual.20.1574808275388; Tue, 26 Nov 2019 14:44:35 -0800 (PST) MIME-Version: 1.0 References: <05388310-2c80-2b42-a564-0fda2b6a2396@gmail.com> In-Reply-To: <05388310-2c80-2b42-a564-0fda2b6a2396@gmail.com> Date: Tue, 26 Nov 2019 16:44:24 -0600 Message-ID: To: Stanislav Malyshev Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000d80f950598479fbb" X-Envelope-From: Subject: Re: [PHP-DEV] Let's allow eval() to be turned off in PHP 8 From: iansltx@gmail.com (Ian Littman) --000000000000d80f950598479fbb Content-Type: text/plain; charset="UTF-8" Main holes that this closes are: 1. Being able to run code fetched remotely without ever hitting disk 2. Being able to run code transformed directly from an obfuscated state I have examples of both techniques; reply directly to me if you're curious. One of the examples breaks if create_function isn't available. The other two break if eval() isn't available. One interesting thing with item #1 is that it allows for remote arbitrary code execution even if no include-able path on a server is writable. This comes into play if there's a supply chain attack on your app. Say, an infected update on a CMS plugin. Get an eval() of a file_get_contents() of a URL into the code and...well, you get code execution that (if you're lucky) only leaves a trace in logs. If you have to write a file somewhere first, then include it, you've got a bit more of a footprint. Can you work around these restrictions? Yep, but it takes a bit more effort than the current setup. It doesn't make a server secure by any stretch, but it reduces its attack surface slightly, and reduces the universe of malicious code that won't error out, forcing malefactors to work just a bit harder. To be crystal clear, **I am not asking for disabling eval() by default**. Just for it to be disable-able, as create_function already is. This isn't a resolution for all things security-related. Just one more thing to slow attackers down. Heck, if we can't agree on having the ability to disable eval() (which, again, Suhosin has), how about catching cases where someone throws eval into disabled_functions and warning them that the difference between a function and a language construct renders their INI declaration useless? Ian On Tue, Nov 26, 2019 at 4:21 PM Stanislav Malyshev wrote: > Hi! > > > Let's just say that eval() and create_function() are the cornerstone of > > PHP-based exploit toolkits. Yes, if the hackers get in there are other > > problems with your codebase, but as a defense in depth measure most > > applications need neither create_function() nor the eval() language > > construct, so they might as well be disabled. > > I get defense in depth, but I don't understand what it means in this > case. Since you're talking about disabling functions, I assume we're > talking about the situation where there's code execution access. From > that point, you can execute any code. What is the value of disabling > eval() here? You don't need eval, you can run any code you want > directly! Am I missing something here? > > -- > Stas Malyshev > smalyshev@gmail.com > --000000000000d80f950598479fbb--