Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:107873
Return-Path: <ocramius@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40459 invoked from network); 27 Nov 2019 01:26:00 -0000
Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12)
  by pb1.pair.com with SMTP; 27 Nov 2019 01:26:00 -0000
Received: from php-smtp3.php.net (localhost [127.0.0.1])
	by php-smtp3.php.net (Postfix) with ESMTP id 214362D2043
	for <internals@lists.php.net>; Tue, 26 Nov 2019 15:20:46 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS3215 2.6.0.0/16
X-Spam-Virus: Error (Cannot connect to unix socket
	'/var/run/clamav/clamd.ctl': connect: Connection refused)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp3.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 26 Nov 2019 15:20:45 -0800 (PST)
Received: by mail-io1-xd2a.google.com with SMTP id z26so19115276iot.8
        for <internals@lists.php.net>; Tue, 26 Nov 2019 15:20:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=CQnTZtAtZBIIjtFRkegihC9RBVEqz8xAw8JJ9KNoGmI=;
        b=SMbKaRRr3h7RpI8aXVDnvxKpczteCeh6IzmLHt0CJSUoFLouIv79CvltlsKhlgEXAL
         FWHEmRMn0BwudZfvRcueXsRmL0RaMiGsQCsUOyV5JQ6Je51uqdAC9fzAM3F5rVOwZ6Q4
         40knryg+zrBZMFZrSmBO8pOlAfLhPsF4bQQQxV532UnOqdr60LP73xsQHLNWM1x4Bd7P
         B6bcKUEOSM4KnaAk7T4VFhwtRai+/siy3W5c/p30LMSQltgwfDmH1PxZljx1HXi7fDfm
         8ese1HYPTyZQXXNOw8F0Oc1spNeMAFpOebNb384rWcM0cQySEjqRkCca1XWO6WQLISVJ
         bvdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=CQnTZtAtZBIIjtFRkegihC9RBVEqz8xAw8JJ9KNoGmI=;
        b=oYPoyWN0rcA46da4G3Zb1+DARLOYjha9Sb3J2V9WxFOsk09Q1uhGr4QILF2vtQYb9H
         x5KZuhVuCNARuBDOom8Q/gbWvVFRV59Gh3Q89PHkidh3zF5PH0ozhgZYf0ySvQSx90BO
         CDwht1OQc7eoYwJPVWiIiBiWklSs8mLROshvc7U70Mx+YlpaMb0w5TxV6nYv5h6B1yfc
         qyeaz7fdIMRnrC/omHTD97evFNMrT0872WCdEs5Q89Cqkfj9j4ddkJvKiSUXue7XGQYV
         lPF37t+rOz8oZlNzzciS+n4xh9+S/Gt9V8vpmomunl6zqvin04DZ461P4L44DhoSlewn
         9XQw==
X-Gm-Message-State: APjAAAUpfXhnnEC8/1Z+3M5YCPIGPLW4ldnSugMybtt+Z++J2FPKTNUq
	mBbD83RhQ8TFhQmfhXvlQvgwWwotx1yGK5+4JoI=
X-Google-Smtp-Source: APXvYqyUmt3YXzDJ0KZcB5JAJ42Ln4rH6tc9+Vr1HrqogdCHp0mT+UvID8A1G2IlWvV8noyjIHWblY3mSMCri28Swow=
X-Received: by 2002:a02:65c7:: with SMTP id u190mr1283085jab.142.1574810444407;
 Tue, 26 Nov 2019 15:20:44 -0800 (PST)
MIME-Version: 1.0
References: <CAAupm8h5Aa4EmnGnHX1iVgcQTCpmW-3yD4e6m7aouZFiSCtGrA@mail.gmail.com>
 <05388310-2c80-2b42-a564-0fda2b6a2396@gmail.com> <CAAupm8gDxAjiW0Ox7jWAC0fEKUwSwYPA27NjHUawTVFd8RDc1w@mail.gmail.com>
 <CAG9XoMRf9kEQ2xFOZ_jVxmdxgg3qa4e5iyDc9ZN2rN2C3UktRg@mail.gmail.com>
In-Reply-To: <CAG9XoMRf9kEQ2xFOZ_jVxmdxgg3qa4e5iyDc9ZN2rN2C3UktRg@mail.gmail.com>
Date: Wed, 27 Nov 2019 00:20:32 +0100
Message-ID: <CADyq6sJzCh+FkaUSQA_2qMeB7W-MoySc5xka_ahNJ3zzi_rJMQ@mail.gmail.com>
To: Benjamin Morel <benjamin.morel@gmail.com>
Cc: Ian Littman <iansltx@gmail.com>, Stanislav Malyshev <smalyshev@gmail.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000020a89e0598482180"
X-Envelope-From: <ocramius@gmail.com>
Subject: Re: [PHP-DEV] Let's allow eval() to be turned off in PHP 8
From: ocramius@gmail.com (Marco Pivetta)

--00000000000020a89e0598482180
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Assuming preloading (big assumption), disabling `eval()` as well as
`include*` and `require*` would probably close off most RCEs.

That would break a lot of stuff, but it would certainly make for a very
interesting experiment.

On Wed, Nov 27, 2019, 00:09 Benjamin Morel <benjamin.morel@gmail.com> wrote=
:

> >
> > One interesting thing with item #1 is that it allows for remote arbitra=
ry
> > code execution even if no include-able path on a server is writable. Th=
is
> > comes into play if there's a supply chain attack on your app. Say, an
> > infected update on a CMS plugin. Get an eval() of a file_get_contents()
> of
> > a URL into the code and...well, you get code execution that (if you're
> > lucky) only leaves a trace in logs. If you have to write a file somewhe=
re
> > first, then include it, you've got a bit more of a footprint.
>
>
>
> You don't have to hit disk, or have any writable path. You can just creat=
e
> a stream wrapper <https://www.php.net/manual/en/class.streamwrapper.php>
> that stores the "files" in memory, and include them as you would include =
a
> regular file.
>
>
> Can you work around these restrictions? Yep, but it takes a bit more effo=
rt
> > than the current setup. It doesn't make a server secure by any stretch,
> but
> > it reduces its attack surface slightly, and reduces the universe of
> > malicious code that won't error out, forcing malefactors to work just a
> bit
> > harder.
>
>
>
> Disabling eval() really doesn't reduce the attack surface at all, if you
> ask me. Malefactors will quickly & easily adapt their tools, that script
> kiddies will use as before.
>
>
> =E2=80=94 Benjamin
>

--00000000000020a89e0598482180--