Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120821
Return-Path: <php@bohwaz.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97213 invoked from network); 14 Jul 2023 22:17:17 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Jul 2023 22:17:17 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id C99E9180339
	for <internals@lists.php.net>; Fri, 14 Jul 2023 15:17:16 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS16276 91.121.0.0/16
X-Spam-Virus: No
X-Envelope-From: <php@bohwaz.net>
Received: from mail.kd2.org (citrouille.kd2.org [91.121.181.110])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 14 Jul 2023 15:17:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bohwaz.net;
	s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:
	In-Reply-To:Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=sjlHaj1pZucwTGwhNUVtXerIUnyFo42dDVAodn+j3m4=; b=hch/ncZ74R0UCOsyAcQZRM7mJn
	AeXlrNVahgmpyBCSWfHJMYemGvXIMgkQ5vdR4PqoPvNPfjgnLTSUt68q4seJBWlrdNWL0U8msrim/
	o/PQjCEJYJMZ0aqUHFWTzpuI9bvCJUgNETlWPinR9FM9hW7F5Nf7mk21T+FR8aL4XoNo=;
Received: from 132.197.23.93.rev.sfr.net ([93.23.197.132] helo=platypus)
	by mail.kd2.org with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <php@bohwaz.net>)
	id 1qKR6A-007WO3-9U
	for internals@lists.php.net; Sat, 15 Jul 2023 00:17:15 +0200
Date: Sat, 15 Jul 2023 00:17:07 +0200
To: internals@lists.php.net
Message-ID: <20230715001707.708ddb08@platypus>
In-Reply-To: <3D4C34A1-360A-4CA7-AE12-C40BC5AADA0E@woofle.net>
References: <PH8PR10MB63375994E22A3A9321C01C60BF37A@PH8PR10MB6337.namprd10.prod.outlook.com>
 <CA+p1FaamHz=nfa=_bQ+NVg51yoXmnzxfEHpmVNXjaX2pxdCZig@mail.gmail.com>
 <57CF1A83-4861-4AE0-92D4-5724A40A00D0@woofle.net>
 <CA+p1FaYWnEmzP4kywtJ7Mb7L+ypxojHkVEWFR+oqDvn1WX0u-g@mail.gmail.com>
 <3D4C34A1-360A-4CA7-AE12-C40BC5AADA0E@woofle.net>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
X-Face: #"dGtXaYpS9,C:d{FJZ<@4|;AL[R;I`|\;HN}zkw(rmBsu$)Dhed/z8e%U@Ra@JQ;,Nx?Xopxa+:gb?}efqG\/7TnBPHBRjU^g}$;rL4"jYrE#M^%*(?;Qb{HHbOf"q}bnOjU.'SEL:||\2*swZ>NN9pe(pnejy{ijk9%/8<c(t~OfPZ}?+c<'Peli
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Authenticated-User: bwz@bohwaz.net
X-Authenticator: login
X-Invalid-HELO: HELO is no FQDN (contains no dot) (See RFC2821 4.1.1.1)
X-Sender-Verify: SUCCEEDED (sender exists & accepts mail)
Subject: Re: [PHP-DEV] Security implications of parsing env variables in
 .ini
From: php@bohwaz.net (BohwaZ)

This is a valid concern, as we are side-loading plugins in our
software, where plugin information is defined in a .ini file.

But somehow I thought that INI_SCANNER_TYPED was a bit like
INI_SCANNER_RAW but also able to handle null/true/false values.

Unfortunately it's not the case:

php > var_export(parse_ini_string("secret=\${AWS_SECRET_ACCESS_KEY}",
false, INI_SCANNER_TYPED)); array (
  'secret' => '42',
)

If you want to be able to have false/true/null values without expanding
variables and constants you are out of luck.

Maybe we should have another constant to be able to disable both
variable and constant expansion when using parse_ini_* functions, for
example:

parse_ini_file('file.ini', false,
  INI_SCANNER_TYPED & ~INI_SCANNER_EXPANSION);

Or something similar.