Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120900
Return-Path: <larry@garfieldtech.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90350 invoked from network); 14 Aug 2023 19:03:45 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Aug 2023 19:03:45 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 3C6311804B3
	for <internals@lists.php.net>; Mon, 14 Aug 2023 12:03:44 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
	RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_NONE,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS29838 64.147.123.0/24
X-Spam-Virus: No
X-Envelope-From: <larry@garfieldtech.com>
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 14 Aug 2023 12:03:43 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailout.west.internal (Postfix) with ESMTP id 835F13200708;
	Mon, 14 Aug 2023 15:03:40 -0400 (EDT)
Received: from imap50 ([10.202.2.100])
  by compute4.internal (MEProxy); Mon, 14 Aug 2023 15:03:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	garfieldtech.com; h=cc:cc:content-type:content-type:date:date
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:sender:subject:subject:to:to; s=fm1; t=
	1692039820; x=1692126220; bh=IGhIoFNLmpXEwwPh3UBQ7D+ecnSGnZ3lykQ
	Qwz3t+Bs=; b=BAfHA+Mu4DOmrpJTVBDWvm7Q+iz7IslAonPmXQuMVVszQiItNf2
	lCmeBUBFNmz1Qrsuw12p39eUa4lQzIE667upd3sAJqNjZDN5DNjTg/NoT2PCRw1+
	USsXQRwq26gGRjnWzR+4FaaZWgG0lCQezlaxNX8vWQshSc0NkjZ/zzIUUorVTMz0
	eycfPLbyNQHf8kXTjFe3z4vEYvQkAsz0AUNaErYIfqxMvzxtj9YmQzbmPTkpCn/m
	RdHVSRV/9M+De9JRyrE9pxYCLWmIxVg9Coptc6FHyQVIY/NbOewwU6SvzUmZhf4q
	//Lh2BFk9PeDs2m3M7Xwe93xFhjiFZFe9vQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:sender:subject
	:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm1; t=1692039820; x=1692126220; bh=IGhIoFNLmpXEw
	wPh3UBQ7D+ecnSGnZ3lykQQwz3t+Bs=; b=ATAe1CyDRr8enOSAFqkUo7oIMANpL
	mjtJ28wjHt8lNg92qMynK8gdbOOMLk8Z+J9A1kVU3Bkl/+Tchl36D7gNU2XKefBG
	72yBBOkg7JQOWGk6hg+9u8fTOzCB+6qceCBLx+UlxSQ5qmv1WM513wKQpepp3xZH
	g7nbX0ZVaxJWxIVP0Dmn+uKGJkqpqLrJR4EnRqMY1BiBWolrVHAgTLoOL1D40WpR
	31UaVPAVzli75MYz7MY58N7CNcZww3VM13O9hJOzTwYhuZAQL1jzk2TtfuCz3V3O
	ITkr/9C3QMXZC7B5EZDzCnUotbbt/bn/6w9Gl1Ds7sxFXv9C4aosvRbrw==
X-ME-Sender: <xms:i3raZOaeTQ19k1cvKW20D_GahN-46ZEWGFxDhEMdN67F7YeNb7H5aw>
    <xme:i3raZBZozZ4NOpI310iTPkGNXgKA7CWN4R2gkkC8G8138x65Z-cpaS4KOeboxbWhD
    egX5fHDirEYIA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedruddthedgtdegucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepofgfggfkjghffffhvfevufgtsehttdertderredtnecuhfhrohhmpedfnfgr
    rhhrhicuifgrrhhfihgvlhgufdcuoehlrghrrhihsehgrghrfhhivghlughtvggthhdrtg
    homheqnecuggftrfgrthhtvghrnhepvdfgtdfgteekudetuedtjeelledvjeduvedvteek
    jedvieejvdegkeegteduvddunecuffhomhgrihhnpegvgihtvghrnhgrlhhsrdhiohenuc
    evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlrghrrhih
    sehgrghrfhhivghlughtvggthhdrtghomh
X-ME-Proxy: <xmx:i3raZI9toShnVxDcu4FFmKMpROik5ssSMDmzIFXjWw-MqA6t19_W9g>
    <xmx:i3raZAqM4Zvgq4MxpPuxdTZfr1KXxVDFXYUX9mFBVCpF3xQDcUpkBQ>
    <xmx:i3raZJpgVQR1-gLMAWffblhLGTzEQxs1WIh5JTwtVtZFMUxT63bB_Q>
    <xmx:jHraZKBO1rxsaje8QyTZTy78ReSaLU472rQ_gFlxSXonoNIreKHfnQ>
Feedback-ID: i8414410d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 708321700089; Mon, 14 Aug 2023 15:03:39 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-624-g7714e4406d-fm-20230801.001-g7714e440
Mime-Version: 1.0
Message-ID: <8a9b7bc7-5d3d-46a3-bf3c-0af66aa2796f@app.fastmail.com>
In-Reply-To: 
 <CAFPFaMLBZixUFa=7=9Gxj60D=4QyfSpF9se-U+6CRoShzCrFrA@mail.gmail.com>
References: 
 <CAFPFaMLBZixUFa=7=9Gxj60D=4QyfSpF9se-U+6CRoShzCrFrA@mail.gmail.com>
Date: Mon, 14 Aug 2023 19:03:19 +0000
To: "G. P. B." <george.banyard@gmail.com>,
 "php internals" <internals@lists.php.net>
Cc: "Jakub Zelenka" <bukka@php.net>, eric@eamann.com, adoy@php.net
Content-Type: text/plain
Subject: Re: [PHP-DEV] Removing support for the disable_classes INI setting
From: larry@garfieldtech.com ("Larry Garfield")

On Mon, Aug 14, 2023, at 2:17 PM, G. P. B. wrote:
> Hello internals,
>
> While working on some DNF type bugs, I discovered some major issues around
> the disable_classes INI setting implementation. Such as:
>
> - A double-free of the type of a typed property
> - A use after free (which segfaults) when trying to access a property
> defined on a disabled class that was extended (e.g. disabling Exception)
> - A use after free when var_dumping a disabled class that has its own
> handler (as it will assume properties to be allocated)
> - And likely more considering the lack of tests surrounding this feature
>
> This feature seems of dubious nature, and the only justification given when
> adding support for this in the changelog of PHP 4.3.2 is:
>
> New "disable_classes" php.ini option to allow administrators to disable
> certain classes for security reasons. [1]
>
> However, only classes defined by extensions can be disabled, and such a
> class is critical for the correct operation of said extension.
> As such, what one should do for security reasons is to not enable the
> extension in the first place.
>
> Moreover, compared to the behaviour of disable_functions which, as of PHP
> 8.0, removes the function declaration completely, disable_classes does not
> remove the declaration of the class, but just "overloads" the object
> creation process to not initialize the object and emit a warning.
> Meaning, it is totally valid to instantiate a disabled class and pass it
> around to functions for them to blow up when they try to use the object as
> intended.
>
> Considering the major flaws in the implementation of said feature, the
> dubious nature of it, and the seeming lack of usage of it (considering none
> of the above breaking bugs have been reported).
> I would like to remove this feature in PHP 8.3, even though I know we are
> past feature freeze and close to the first RC.
>
> I have CCed the RMs for 8.3, and would like the opinion of other people on
> if this removal makes sense to the majority of people
>
> Sincerely,
>
> George P. Banyard
>
> [1] https://externals.io/message/2076

I believe the intent for it was the same as disable_functions: A "seemed like a good idea at the time" attempt to let shared hosters lock down their environment.  That's an increasingly small percentage of the PHP using market, though, so I am perfectly happy to lose disabled_classes entirely.  However, I think it should not get an exception for code-freeze.  At best, I could see a deprecation warning on it in 8.3 and remove in 8.4/9, but I defer to the RMs on that front.

--Larry Garfield