Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120896
Return-Path: <george.banyard@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 73670 invoked from network); 14 Aug 2023 14:18:00 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Aug 2023 14:18:00 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id D4FE71804D4
	for <internals@lists.php.net>; Mon, 14 Aug 2023 07:17:59 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <george.banyard@gmail.com>
Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 14 Aug 2023 07:17:58 -0700 (PDT)
Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-686c06b806cso2803628b3a.2
        for <internals@lists.php.net>; Mon, 14 Aug 2023 07:17:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1692022677; x=1692627477;
        h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=asMSiFrQ73meNfwNr66E1gqaK6n3PZHWLdIOKF6FPhQ=;
        b=MM8Y1vtyz9GQFlzeirAyYJ3NGI8qtcn9fIb8v7Nen1jl+Kg8Zm+HU2Ldr8zR3CiT1f
         mS0UpMWZl/JWxb6RJltwaTViP52xnTbmxL/5e5wgFo3hinbRQlpVoGSntHi1lzvTJG0r
         XlbOFTE0kTbsWLJ+18fws5If3D6r5ls87lfkYa0ank68EAdKSjsXBN1Tg5YW2nslUorG
         HWjbrcCj6jfKn/667YSzW26ZmSM3yb3X2FLBeKCVBhphRVsvJ6WmR6uYOeWJrig7T7p1
         WfPbAjQfnZYKkLz/HLaD5IxF6g6Q7zX1h8xhlAIzse6Aa5VAldReIVGe2jpd1h2YBfDt
         GQTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1692022677; x=1692627477;
        h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=asMSiFrQ73meNfwNr66E1gqaK6n3PZHWLdIOKF6FPhQ=;
        b=NGLnMiBW0CsFGhAvJI62oa1z8/2I5HxVuUkNKZR+4gmmcG4cqGbLeZ4ftSutwmA8ps
         9TAQTpGFQ7yFx4M//L8ESiIOxemIlYlvPPqUOxbC9gHpRG3pI7ID0+yftgmmZYfi6mYx
         uBSkPk/sM1IWyWj961ypRR27q1jViRuFsT8hq4v2G5rROYOFbZB8TuRHEyZVORWo8NQt
         Mqu+p5IJAv8wiDSYa9CRdB5ylnp3LXxP1pvsDhdxa2m7r8XSQwaweQVhSl26+wfo4mbq
         ICPdVS0kGlYGj6kTyKLvq1cRsos974BUI8juteiHHOYUKAf74wLepunxtXl69BkSZGvO
         rTMA==
X-Gm-Message-State: AOJu0YxhyhKVTT4yVkNHhN9N/Ep/5YdEt5iOk5tgzw/Xd2RhdfW7PXy4
	y4Fqti/Q6eyXQwYYl6GL9yjYcALheyqOVuG8JFiWO9OROcUuWQ==
X-Google-Smtp-Source: AGHT+IEh6QfBEIgeLyaoMiXSAg3ormQNSRMEdRBLDjJYXxWYJGjDVyosud+3TtqFfQ333p7KPz7SSM1Ieda7k6isXcs=
X-Received: by 2002:a17:90a:e651:b0:263:f4cc:a988 with SMTP id
 ep17-20020a17090ae65100b00263f4cca988mr6442813pjb.5.1692022677084; Mon, 14
 Aug 2023 07:17:57 -0700 (PDT)
MIME-Version: 1.0
Date: Mon, 14 Aug 2023 15:17:45 +0100
Message-ID: <CAFPFaMLBZixUFa=7=9Gxj60D=4QyfSpF9se-U+6CRoShzCrFrA@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Cc: Jakub Zelenka <bukka@php.net>, eric@eamann.com, adoy@php.net
Content-Type: multipart/alternative; boundary="0000000000009ea24c0602e2bab4"
Subject: [PHP-DEV] Removing support for the disable_classes INI setting
From: george.banyard@gmail.com ("G. P. B.")

--0000000000009ea24c0602e2bab4
Content-Type: text/plain; charset="UTF-8"

Hello internals,

While working on some DNF type bugs, I discovered some major issues around
the disable_classes INI setting implementation. Such as:

- A double-free of the type of a typed property
- A use after free (which segfaults) when trying to access a property
defined on a disabled class that was extended (e.g. disabling Exception)
- A use after free when var_dumping a disabled class that has its own
handler (as it will assume properties to be allocated)
- And likely more considering the lack of tests surrounding this feature

This feature seems of dubious nature, and the only justification given when
adding support for this in the changelog of PHP 4.3.2 is:

New "disable_classes" php.ini option to allow administrators to disable
certain classes for security reasons. [1]

However, only classes defined by extensions can be disabled, and such a
class is critical for the correct operation of said extension.
As such, what one should do for security reasons is to not enable the
extension in the first place.

Moreover, compared to the behaviour of disable_functions which, as of PHP
8.0, removes the function declaration completely, disable_classes does not
remove the declaration of the class, but just "overloads" the object
creation process to not initialize the object and emit a warning.
Meaning, it is totally valid to instantiate a disabled class and pass it
around to functions for them to blow up when they try to use the object as
intended.

Considering the major flaws in the implementation of said feature, the
dubious nature of it, and the seeming lack of usage of it (considering none
of the above breaking bugs have been reported).
I would like to remove this feature in PHP 8.3, even though I know we are
past feature freeze and close to the first RC.

I have CCed the RMs for 8.3, and would like the opinion of other people on
if this removal makes sense to the majority of people

Sincerely,

George P. Banyard

[1] https://externals.io/message/2076

--0000000000009ea24c0602e2bab4--