Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120823
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64036 invoked from network); 17 Jul 2023 12:53:04 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 17 Jul 2023 12:53:04 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 0A7C61804D0
	for <internals@lists.php.net>; Mon, 17 Jul 2023 05:53:03 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 17 Jul 2023 05:53:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1689598380;
	bh=3BVMlV4z20Z5m4P9prnvb1HoMenUqebQ+a1z1wfzcvM=;
	h=Message-ID:Date:MIME-Version:Subject:To:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=LnwRKNM6UpLSIjIXIxO4KDv6lC98X2xcmbLhKU/O/QNCNWXxTInkka4VQEm7qbbKN
	 /PaYg+moxCgP+J+9TOA7gkxVxTm15lqOo3AmpS0usd3OX+ka8DQda8dqwdR2rCBalb
	 tkODEiwvfGBjH5SViJdPdRx8IziaRlQRTrfRJZJiSs8hNgc8A+7uYE6ECCcKMxUbwc
	 xWLV38BTSLptd0/Smv5rijj6NvosVR57LPhXnk0n5ZYp53hY4Ri2VnFLVEntMrFNzE
	 Tj3lK5YSupBH5dPImRRlExT5DBBizUSWzSIe7cuSuu7KpYLO4SLEn+9YnVzfybx6Wm
	 FavLwOELcLjgg==
Message-ID: <be8990b3-c4d0-d014-6a94-0b75045bdef5@bastelstu.be>
Date: Mon, 17 Jul 2023 14:52:57 +0200
MIME-Version: 1.0
To: internals@lists.php.net
References: <PH8PR10MB63375994E22A3A9321C01C60BF37A@PH8PR10MB6337.namprd10.prod.outlook.com>
 <CA+p1FaamHz=nfa=_bQ+NVg51yoXmnzxfEHpmVNXjaX2pxdCZig@mail.gmail.com>
 <57CF1A83-4861-4AE0-92D4-5724A40A00D0@woofle.net>
 <CA+p1FaYWnEmzP4kywtJ7Mb7L+ypxojHkVEWFR+oqDvn1WX0u-g@mail.gmail.com>
Content-Language: en-US
In-Reply-To: <CA+p1FaYWnEmzP4kywtJ7Mb7L+ypxojHkVEWFR+oqDvn1WX0u-g@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] Security implications of parsing env variables in .ini
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 7/14/23 18:03, David Gebler wrote:
>> 2) These expansions should probably be disabled by INI_SCANNER_RAW; that
>> flag already disables certain other types of value interpolation. (Oddly,
>> it doesn't disable expansion of constants either; that might be worth
>> revisiting as well.)
> 
> 
> Environment variable parsing is already disabled by INI_SCANNER_RAW mode,
> isn't it? Personally I don't think the default/normal mode should behave
> differently. If you're passing untrusted input to parse_ini_string, you
> should be sanitizing, white listing or using raw mode anyway really.
> 

Defaults matter. Developers should not need to provide 
INI_SCANNER_PLEASE_DONT_PWN_ME to safely use a function.

Yes, the function is documented to behave "like php.ini's parsing", but 
injecting potentially sensitive environment variables still violates the 
principle of least surprise for me. Nothing about the function's 
behavior or documentation indicates that it might be unsafe to use with 
untrusted input data.

A short term improvement might be adding an explicit yellow warning to 
the documentation page.

Best regards
Tim Düsterhus