Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120820
Return-Path: <dusk@woofle.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80654 invoked from network); 14 Jul 2023 16:33:18 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Jul 2023 16:33:18 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 2587918050B
	for <internals@lists.php.net>; Fri, 14 Jul 2023 09:33:18 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS63949 74.207.240.0/20
X-Spam-Virus: No
X-Envelope-From: <dusk@woofle.net>
Received: from malamute.woofle.net (woofle.net [74.207.252.100])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 14 Jul 2023 09:33:17 -0700 (PDT)
Received: by malamute.woofle.net (Postfix) with ESMTPSA id 3CC0F1EF2E;
	Fri, 14 Jul 2023 09:33:16 -0700 (PDT)
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
In-Reply-To: <CA+p1FaYWnEmzP4kywtJ7Mb7L+ypxojHkVEWFR+oqDvn1WX0u-g@mail.gmail.com>
Date: Fri, 14 Jul 2023 09:33:05 -0700
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <3D4C34A1-360A-4CA7-AE12-C40BC5AADA0E@woofle.net>
References: <PH8PR10MB63375994E22A3A9321C01C60BF37A@PH8PR10MB6337.namprd10.prod.outlook.com>
 <CA+p1FaamHz=nfa=_bQ+NVg51yoXmnzxfEHpmVNXjaX2pxdCZig@mail.gmail.com>
 <57CF1A83-4861-4AE0-92D4-5724A40A00D0@woofle.net>
 <CA+p1FaYWnEmzP4kywtJ7Mb7L+ypxojHkVEWFR+oqDvn1WX0u-g@mail.gmail.com>
To: David Gebler <davidgebler@gmail.com>
X-Mailer: Apple Mail (2.3731.600.7)
Subject: Re: [PHP-DEV] Security implications of parsing env variables in .ini
From: dusk@woofle.net (Dusk)

On Jul 14, 2023, at 09:03, David Gebler <davidgebler@gmail.com> wrote:
> On Fri, Jul 14, 2023 at 3:08=E2=80=AFAM Dusk <dusk@woofle.net> wrote:
>> 2) These expansions should probably be disabled by INI_SCANNER_RAW; =
that
>> flag already disables certain other types of value interpolation. =
(Oddly,
>> it doesn't disable expansion of constants either; that might be worth
>> revisiting as well.)
>=20
> Environment variable parsing is already disabled by INI_SCANNER_RAW =
mode,
> isn't it?

Oops! You're correct (and it does also disable constant expansion). I =
was passing the flag to $process_sections by mistake.=