Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120819
Return-Path: <davidgebler@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 78386 invoked from network); 14 Jul 2023 16:04:03 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Jul 2023 16:04:03 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id AB5981804D0
	for <internals@lists.php.net>; Fri, 14 Jul 2023 09:04:02 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <davidgebler@gmail.com>
Received: from mail-oa1-f53.google.com (mail-oa1-f53.google.com [209.85.160.53])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 14 Jul 2023 09:04:02 -0700 (PDT)
Received: by mail-oa1-f53.google.com with SMTP id 586e51a60fabf-1b06777596cso1664037fac.2
        for <internals@lists.php.net>; Fri, 14 Jul 2023 09:04:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1689350641; x=1691942641;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=DNfrtPR/VMXkUfYmLqWOR2ckXG2Zhfh8rkkd7B4IgFw=;
        b=cIyf92NTe4cBB0WniD+3RcsNqPMXfQMWCeVBttjbo2dsEUhnRpGG4piqxDSU/7c82d
         jS9VH4/fJJnQcBMWpyEv44ZVz166gbolb1f8/F8rQxPmKJ91/tsPqzscNpXqvaXzq7xp
         Ym7XjRJA+xafNAWl4+DZYxsRBQPYOSnrFKXnE5WoFNDiCxJWUO4ZRmcOPsNsBeIGF9tJ
         YSKof9hpDRf+tOy9mur/gLQFRhlWPPrsmD4tLKSA6bPyMEmi0uwOzDkPe5Zdx4t2pcM/
         uAiiiJsNOpce9L1e8AM+yy0EHnPpDD4ZLUqP6wzEaiPgbClADV6kO26OB4pzv/lDBc9b
         R6fQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689350641; x=1691942641;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=DNfrtPR/VMXkUfYmLqWOR2ckXG2Zhfh8rkkd7B4IgFw=;
        b=KG+ogy3DjbWJ8i0iYknawoHqraB71v92rlAZIl7WjHuJFmsR9SNzFwjLyeOBGRdIOX
         Eix7RDSAAfiSQlsMxMmk0h1YJkKMSPM+ZCoilafjI1rQV1VqNMpRDggf8CsjYP3ZV+1F
         QJ+4R+K+hc+CL6CklNkscVRPZXCgdEwOhHSd+W/bdsSjqsdSOOE0tLxgqXajtf01ATVT
         0mLb/njMW6Jvg2kX6woAM2Rm3OJfmaF/uTWFbNABII0Ct6uIV+3N3Q0Bugr+fJyiTTCa
         zp1AKZIaGUFz1VNuz4jHGFQeMhy9gsvy7ExDF6EcUqr+QBKw1virkzabclJFqnfYowHD
         rLLg==
X-Gm-Message-State: ABy/qLaZsB7RqbRbwuerSapfxclb8NPvT9BPhUetGiAYQBxJDGsPuH65
	brDizzahZPf0PWyo4IEwFBUzM676fZ9wBDVuhCeqPRIErm4=
X-Google-Smtp-Source: APBJJlEJg4qCtAcpp4PwUFnFaOicw4RH1e+5DwS4ip7bc/96yOFSHNNsg02k0YOxtjUEq2VaKBJFZ92VoCuwQx/9nT8=
X-Received: by 2002:a05:6870:569e:b0:1b0:57f8:dabf with SMTP id
 p30-20020a056870569e00b001b057f8dabfmr6422162oao.33.1689350641328; Fri, 14
 Jul 2023 09:04:01 -0700 (PDT)
MIME-Version: 1.0
References: <PH8PR10MB63375994E22A3A9321C01C60BF37A@PH8PR10MB6337.namprd10.prod.outlook.com>
 <CA+p1FaamHz=nfa=_bQ+NVg51yoXmnzxfEHpmVNXjaX2pxdCZig@mail.gmail.com> <57CF1A83-4861-4AE0-92D4-5724A40A00D0@woofle.net>
In-Reply-To: <57CF1A83-4861-4AE0-92D4-5724A40A00D0@woofle.net>
Date: Fri, 14 Jul 2023 17:03:49 +0100
Message-ID: <CA+p1FaYWnEmzP4kywtJ7Mb7L+ypxojHkVEWFR+oqDvn1WX0u-g@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000e0a4b6060074981c"
Subject: Re: [PHP-DEV] Security implications of parsing env variables in .ini
From: davidgebler@gmail.com (David Gebler)

--000000000000e0a4b6060074981c
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Jul 14, 2023 at 3:08=E2=80=AFAM Dusk <dusk@woofle.net> wrote:

> 2) These expansions should probably be disabled by INI_SCANNER_RAW; that
> flag already disables certain other types of value interpolation. (Oddly,
> it doesn't disable expansion of constants either; that might be worth
> revisiting as well.)


Environment variable parsing is already disabled by INI_SCANNER_RAW mode,
isn't it? Personally I don't think the default/normal mode should behave
differently. If you're passing untrusted input to parse_ini_string, you
should be sanitizing, white listing or using raw mode anyway really.

--000000000000e0a4b6060074981c--