Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:120811 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 9136 invoked from network); 13 Jul 2023 21:25:41 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 13 Jul 2023 21:25:41 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 787CD1804B3 for ; Thu, 13 Jul 2023 14:25:40 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8075 40.104.0.0/14 X-Spam-Virus: No X-Envelope-From: Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2079.outbound.protection.outlook.com [40.107.223.79]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 13 Jul 2023 14:25:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AERcetiTIK9RIYwbqkYzjjVun9kN8qbqVNLlay2umlX4HQeGHYEteacan0QpBg2gSLmdgYgi1hAla9BMH/wqX8V8Jn1eK35p2MVHT+K3lPhvo1Bm6YDcYn9L3PHu8nPFCA6gY7kqPmQJdU3wd2lY0OZJgtFi/8nVVgByxiX7xeXiQa637OAbpgRo8abr4b2nMCPiYODhjsdrCN7D/PjMGomhNkFlYdIdT6nbMrNGjUzRO120GlBh46bG/G1lFK9YsZAuMnmhBzFlM+l7TBpyTx2TlDGVskH6YBfQTnLnMI4AyMzcI6Fqu562XE8oND2gVMOktYyX+Ut0Lan/QHQ6CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jcQ57vzckAvEE7KOCBeDdbUghOYrVj3TJq0y//Kc3K4=; b=L1UQoxilD+WGR8uKugaVaSlcZlppDl9opyoOeBcWQXylMXfg3urOkQzbPSk8WUFAC9Ggz3U36EBaZrwgEjCiaCEog7rhPIHm5k0Ah3ZQ7ffxBeD73m+wOkZh5LXJyxH/biYVnLdFKeycaVAItKEu6ZpY3XNJP8fIva1tC8UK+Y5nciQlmWEeD+13E0zkK4RXwb9tzN3iuYcI3qFa0fkcO5FLjmX6vm2/PemgvFr03q9enTOMphiXTHp/wWgBN3tbgc9X1fX1vY3f02gi+P1uX6tesVXnRjxM3ZGPaJQ4wQvjBDCKnfu2wRN4jgTWGp0kt0t7UgS2FcmIqjihlPtRaA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=shymko.net; dmarc=pass action=none header.from=shymko.net; dkim=pass header.d=shymko.net; arc=none Received: from PH8PR10MB6337.namprd10.prod.outlook.com (2603:10b6:510:1cc::10) by PH0PR10MB5871.namprd10.prod.outlook.com (2603:10b6:510:149::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.20; Thu, 13 Jul 2023 21:25:35 +0000 Received: from PH8PR10MB6337.namprd10.prod.outlook.com ([fe80::b1a4:5054:f8ce:59c2]) by PH8PR10MB6337.namprd10.prod.outlook.com ([fe80::b1a4:5054:f8ce:59c2%4]) with mapi id 15.20.6588.017; Thu, 13 Jul 2023 21:25:34 +0000 To: "internals@lists.php.net" Thread-Topic: Security implications of parsing env variables in .ini Thread-Index: AQHZtc7di4ViQnxuz0S5ICqHTzlWrw== Date: Thu, 13 Jul 2023 21:25:34 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=shymko.net; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: PH8PR10MB6337:EE_|PH0PR10MB5871:EE_ x-ms-office365-filtering-correlation-id: 8b2fa755-48ca-4b26-dd7f-08db83e7b1b5 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: RY/WMpox2dyR4qWvrbayuuHdRx4jQg/FldpSYCekVDppqoUdNF1KbD70IrKpX2DA3HZLS4IsuZnrqgmhtETL7TTIwH7Vs0PnMfi9bat56ndbqZBF1IjYAH0M+1bgngY+i8YumJAgNXznBiwo5uvr1l9GFiE3Mw6t4E7m4r25+hLJSMbW+wTgQfrM0BHOYtOdr1aQl1AX//1gpfE5+SSR9yPmSz17QaHU9ggQbsk3eVFIKgFD+Rexv9/IZQRxfWD0gdwcseuiaEl7DqeTxu3b5CAUGVMXIMF3uINy3vlPCbfwOR/QxxIIK8pgdydbDDMtpVzDMt21ST8ApAym9La/OaDjB01uFW0xAWe1C0WtWGwYvStuUK5pIeDA+iT959ZjOb/biARYHB0d7m7DF9f1iAH9DzWRf42/7zkQh4J538YU42RVS8jESu+GR1Leh5QUqGHfOPZjRQOZfIvGeelrRO3S0gp37QZbDXYPehmT4nFsqheDWb/RrCli9A1K3GoZ0yXaI8TbI8ka/VCWAB+avehpSjycwlSSv+F1cak45cOJQmH89104CF4M6chJ7hT2bgkJOEPU4pnIKgM6RG1ZSVSlJ5qaAz7rriQAvHoQxWKZRQ/sJM6oTGTMJ+1KFV5G x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH8PR10MB6337.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(376002)(346002)(39830400003)(366004)(396003)(136003)(451199021)(76116006)(6916009)(66556008)(66946007)(66446008)(66476007)(64756008)(15650500001)(91956017)(33656002)(2906002)(55016003)(316002)(966005)(9686003)(83380400001)(41300700001)(5660300002)(38100700002)(6506007)(71200400001)(8936002)(86362001)(122000001)(478600001)(38070700005)(7696005)(19627405001)(8676002)(186003)(52536014)(166002)(142923001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?Zkn+Cd7pZk+WhZFVoh8YtlKb1+7Z1Vh//FBuOmMPDRl9Y1kAvMw82z6TGm?= =?iso-8859-1?Q?T396wJlOiS1bQuKcA494P8QX3oULCrkJcoKjp80pKVCWY7V+UUcYUXxyUV?= =?iso-8859-1?Q?3k6Wyp7ofx3osLoanvnbPvw6WefYLw2ZnmHCuubbmXjqD1A2vzsZTl/wqn?= =?iso-8859-1?Q?aIGtFE/10iPyIuKiW+uPHh1RTzh1uTA14lp7N2W7/rmfFGgSJwPaUdPJc0?= =?iso-8859-1?Q?GH0AY/JbxGYPgem39TBOdh6jKip+HSj+5pqLr6AFdJav0WNU+gUmnma3Tt?= =?iso-8859-1?Q?XyWudAUBSZXy/uJx87CH0Q/zV+maua6AzTbO5TXTNGhGCmj7zzgaoUz1sy?= =?iso-8859-1?Q?Cv/ueldt19EErNDcmah5umuQ1nyTlwmyAwWx7hYxVKvm8g7G9yE9HTRSvG?= =?iso-8859-1?Q?TXrjmWMvR+o6ZYb3xSYQhc3jBvTetnFAFQK7ZdFmfTJwRMZ3v+XNkm8dWq?= =?iso-8859-1?Q?31s8J7YjBxJkSajCeP3lSnBX0gGdUzCWtPZ4vMvaPHswBiiiXIJlaFQXnI?= =?iso-8859-1?Q?smWy6O5o1fFU4p2+NjhoUCF1MpiuQLLQwD/u14kzvNnvt2E1qJqtqbdVwY?= =?iso-8859-1?Q?HBI42zkOupQue0IaDad6pEhWh9zsea+fgQfnoB+lUrk7OlfsvI7HI3Rkww?= =?iso-8859-1?Q?biBJdyfhxKtkfOQ1yJ1AHV8eTOtxENm9spDy8tnfFLhUNyHDvF2XpRrfj5?= =?iso-8859-1?Q?GBa7qwY1v1eCtDsucoJKnKQ71iUob5G0QhcJbhAsRN2J/KdNsy5BAz+cLn?= =?iso-8859-1?Q?GxhNA67C1Oh4VnDDBtrbcdUr6NcP0RVxCo08hazprrFGsnBi67ySpYZ20P?= =?iso-8859-1?Q?p+ueWt8Yys8BYcouQBdFMXV1SZkyoel3B/Lhnmo/ayRMVMjcAF5ZJTocny?= =?iso-8859-1?Q?E5H0RarBhBgDmoBGbokLJo8v4UiGeh2Ic0oddX7vNWw4bDCdjMPCipLXIp?= =?iso-8859-1?Q?4T7igTBPlBTfXo4QWC4Big5gwhZbagV2EtmkzmSWlrOKJ0/K16Brzo2Nu7?= =?iso-8859-1?Q?+y3K02iQjzxr8b0vyG4LKrR1R9pRlRxFXXMHNovw8oUOX7Ffnf8Da8HQZi?= =?iso-8859-1?Q?D+zkPo9NZqzSyXGowRx5JKLQuMwNSWX/o+CuEzLqQiTHb/aIZ2YY7HZehp?= =?iso-8859-1?Q?5iWtTToIIfoUB6YcLKlxAJUwehoFXrod575eB1GgSJttO8tz5wFMskd3e5?= =?iso-8859-1?Q?2cYS5W2BmNcW3LVZlwyUpS+N77SJwU9HMjF1oS2Ig6+rzChHc9mnroxJU+?= =?iso-8859-1?Q?QCw1LYo4+jkHpAmDu4O1amMGWTZYX5zNuV2Cu4qr4IA4G/iwAX7BaEnUIX?= =?iso-8859-1?Q?jD8zNqHOGUS+o98v+w36/ioX4oZj8uQHPUB29evQIuZu0MCAtV3Vh76vSM?= =?iso-8859-1?Q?fnLO/1h9mByrxTdke1PdJ9yT/q8YBXG+MzDN1Ky01ZmWZIIvMt9DTCevyo?= =?iso-8859-1?Q?9kACYVhplbaFE9+t/W/J7lKSPROAtyALxfDye8Ko8Wnb6tQvkmnrQECDg4?= =?iso-8859-1?Q?3/wv/Ux7Iv+r+22utdn+MGLUFUdoAeJcGbfub9rUep+iD2HdMdJ8qVXZOh?= =?iso-8859-1?Q?FhpjW6U7yBF4HT9Zj+MlQQ4to1uW4IJkC7u3RifKZfMhJSIfzvFMTlkgMA?= =?iso-8859-1?Q?8ZhLzlKPkv2eGLWh2p1TSZvIUHutl1tVaYNibIQgoUjSVdaw7fnn7YaIWd?= =?iso-8859-1?Q?ZwFVzed8pXJBn6DwMrI=3D?= Content-Type: multipart/alternative; boundary="_000_PH8PR10MB63375994E22A3A9321C01C60BF37APH8PR10MB6337namp_" MIME-Version: 1.0 X-OriginatorOrg: shymko.net X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH8PR10MB6337.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8b2fa755-48ca-4b26-dd7f-08db83e7b1b5 X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2023 21:25:34.4884 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: d7878c48-41c7-48dd-bd7e-899af7355b7e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: p9wlPBmkNI/ElxTN3/mUiszwr6SWhEdIYdZWqhzZhf8Nq9/nO4NRe2vkp73g1AwlOPia2wAZuLQB36SdzpqQKg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB5871 Subject: Security implications of parsing env variables in .ini From: sergey@shymko.net (Sergii Shymko) --_000_PH8PR10MB63375994E22A3A9321C01C60BF37APH8PR10MB6337namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi internals team, The discussion of extending the .ini env variable parsing capabilities with= ability to specify defaults it occurred to me that the while feature of en= v variables may have undesirable security implications. For instance, functions parse_ini_string() and parse_ini_file() do support = the aforementioned env variables syntax, because the underlying code is reu= sed. That means that these functions can potentially be exploited to read s= ensitive information! For example: AWS_SECRET_ACCESS_KEY=3DamazonWebServicesSecretAccessKeyExample1 php -r 'va= r_export(parse_ini_string("secret=3D\${AWS_SECRET_ACCESS_KEY}"));' array ( 'secret' =3D> 'amazonWebServicesSecretAccessKeyExample1', ) This only affects INI_SCANNER_NORMAL (the default). Should the mode argumen= t be changed to disallow the env parsing by default? Perhaps another consta= nt can be introduced to activate it, for example: INI_SCANNER_NORMAL | INI_SCANNER_PARSE_ENV This would be a BC breaking behavior but it's doubtful many people expected= the env variable parsing syntax to extend to parse_ini_file/string() funct= ions in the first place. P.S. My email client doesn't properly support the top-reply and/or quoting requi= rements of the mailing list. That's what made me disengage from the mailing= list to not annoy anybody with butchered reply threads until I find time t= o migrate to another email client. Here's a related tweet of mine: https://twitter.com/SergiiShymko/status/1679598903925129222?s=3D20 Regards, Sergii Shymko --_000_PH8PR10MB63375994E22A3A9321C01C60BF37APH8PR10MB6337namp_--