Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120813
Return-Path: <davidgebler@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 20987 invoked from network); 14 Jul 2023 01:35:05 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Jul 2023 01:35:05 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id A56101804B3
	for <internals@lists.php.net>; Thu, 13 Jul 2023 18:35:04 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <davidgebler@gmail.com>
Received: from mail-oa1-f42.google.com (mail-oa1-f42.google.com [209.85.160.42])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 13 Jul 2023 18:35:04 -0700 (PDT)
Received: by mail-oa1-f42.google.com with SMTP id 586e51a60fabf-1b732335e41so1060624fac.3
        for <internals@lists.php.net>; Thu, 13 Jul 2023 18:35:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1689298503; x=1691890503;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=2aafbb17oge1MaF3pvBCtE/XJZh12ORa7i0ucaZ2yN8=;
        b=kXSXH9NxdCBobcYI/k3a5IQMcti9U0bl/hz6Ud6KOBho7zQZzyN++46MxEjT82zZs5
         aV2crrReRE8wDvoScEggGcaSPkv6eTbqOWFQlT9nOO2Noxc1/7wiDfgbjteC+HaZAvko
         kyS3YV+gRpaiFeNVQdhXqhuRsIW1demQ/qzi+AlBc27mHVH8QgQKzo7VZXDv1/6x5etw
         XMw5gX+RiS59ty8XF+4Ud81E11gqNUxwuhcImEms/B87FDCS5ET44wt0u+amHq8fTX0j
         KmrFvs98pnv4GZ0AmJXiuJ88pEB+SF6YpN2Pw9lnCebzNss8HZz11iE3Gdz41aUxZIol
         fJ9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689298503; x=1691890503;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=2aafbb17oge1MaF3pvBCtE/XJZh12ORa7i0ucaZ2yN8=;
        b=GlfSQ1nSFfIJRscVl1m3sIVp/khV92rN4bX0ZhRBpyg9ORAEhrld8mqjCaW6obv7Zm
         LOn2k/tH2UWL4SzFrvywJGrzzeQBmR7l1qLkVuXeNug/anujWKpmr0uCzmDVl0jFUHaK
         CDF3zV8t/IcDpKtbbe0zOy7M09qYUWkWZCMimxtHnrOkNMFfuR03ih+nBVPqWz/pakAS
         7j/+XSpboqolL1YdAcxCFkkmzsbN0kIwYUhmVnpwbMUyx0numAfKmZJCZ6yTLnjbM7E/
         H570kppJIc0HaW0z6Tp6+YYh3WEOBwFZJZny6j9A78WnfMszQWluCVIqcikElU5dElUZ
         MjQw==
X-Gm-Message-State: ABy/qLaxSxbU0wqJi2uJPSE3lOGwAmtmIb3L1BgSxZhXBpQWV6Yb7qi0
	nMwjrabx6sNCHa/WoLVsCwX0EupWbfaw0CNgzwIaz3Na9wozqZEc
X-Google-Smtp-Source: APBJJlE8bTmpLFjFZyKU8ni43J3wzv+AkYnZJ8FVNqXRRCN7W0OTA6aVEZ3By+/NdWqK1x3WlLX1SdYWfiFAMe5fbgI=
X-Received: by 2002:a05:6871:6a1:b0:1b7:6158:621a with SMTP id
 l33-20020a05687106a100b001b76158621amr3913902oao.47.1689298503266; Thu, 13
 Jul 2023 18:35:03 -0700 (PDT)
MIME-Version: 1.0
References: <PH8PR10MB63375994E22A3A9321C01C60BF37A@PH8PR10MB6337.namprd10.prod.outlook.com>
In-Reply-To: <PH8PR10MB63375994E22A3A9321C01C60BF37A@PH8PR10MB6337.namprd10.prod.outlook.com>
Date: Fri, 14 Jul 2023 02:34:52 +0100
Message-ID: <CA+p1FaamHz=nfa=_bQ+NVg51yoXmnzxfEHpmVNXjaX2pxdCZig@mail.gmail.com>
To: Sergii Shymko <sergey@shymko.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000034f59306006875e7"
Subject: Re: [PHP-DEV] Security implications of parsing env variables in .ini
From: davidgebler@gmail.com (David Gebler)

--00000000000034f59306006875e7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 13, 2023 at 10:25=E2=80=AFPM Sergii Shymko <sergey@shymko.net> =
wrote:

> For instance, functions parse_ini_string() and parse_ini_file() do suppor=
t
> the aforementioned env variables syntax, because the underlying code is
> reused. That means that these functions can potentially be exploited to
> read sensitive information!
>
> For example:
> AWS_SECRET_ACCESS_KEY=3DamazonWebServicesSecretAccessKeyExample1 php -r
> 'var_export(parse_ini_string("secret=3D\${AWS_SECRET_ACCESS_KEY}"));'
> array (
>   'secret' =3D> 'amazonWebServicesSecretAccessKeyExample1',
> )
>

If you find any way to exploit this, you've already breached enough to
have sufficient access to read the entire environment available to the PHP
user anyway (for example, you already had a way to inject arbitrary code
into a script which is eval'd or whatever...) in which case, why would you
care about parse_ini_string when you could just e.g. var_dump(getenv())?

--00000000000034f59306006875e7--