Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120901
Return-Path: <php-internals_nospam@adviesenzo.nl>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 91677 invoked from network); 14 Aug 2023 19:04:50 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Aug 2023 19:04:50 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 7B8FC1804B3
	for <internals@lists.php.net>; Mon, 14 Aug 2023 12:04:49 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,NICE_REPLY_A,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_SOFTFAIL,STOX_BOUND_090909_B,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS36483 23.83.208.0/21
X-Spam-Virus: No
X-Envelope-From: <php-internals_nospam@adviesenzo.nl>
Received: from buffalo.birch.relay.mailchannels.net (buffalo.birch.relay.mailchannels.net [23.83.209.24])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 14 Aug 2023 12:04:48 -0700 (PDT)
X-Sender-Id: a2hosting|x-authuser|juliette@adviesenzo.nl
Received: from relay.mailchannels.net (localhost [127.0.0.1])
	by relay.mailchannels.net (Postfix) with ESMTP id 812B58126F
	for <internals@lists.php.net>; Mon, 14 Aug 2023 19:04:47 +0000 (UTC)
Received: from nl1-ss105.a2hosting.com (unknown [127.0.0.6])
	(Authenticated sender: a2hosting)
	by relay.mailchannels.net (Postfix) with ESMTPA id 310EC80DDC
	for <internals@lists.php.net>; Mon, 14 Aug 2023 19:04:46 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1692039886; a=rsa-sha256;
	cv=none;
	b=5oN3t2dcmWkesjm9m5ItMm4I7BwXfE19Ar+151RT5S0UMdDKwhhlsTkI0ElC880qBK9kUt
	oDDeVGvqd+vRXG8wpGqr9HIKvlt7grYe8kAuFFsdnA0CjLFud7o5gX29cNUd9jGbLgmfd5
	tODYJCR8rTS/jRp9N+ovE4PpBykEHqxEf6uSeLEG7lbm/hnsFERHMP1sd+bOdxYluhryYi
	Q65coDKtx48fAdrRx1nkIyxvwTS84BpBqMqASj2QjuWcUkHh4XL5ufrGvVp4jo+FTJNjhW
	LGy+W+ImBGRKmqsXLT0aY30CX/6SeHLiQgx1qqLfvv4ExwmRctWGushq1huBHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net;
	s=arc-2022; t=1692039886;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=zOiaFj5BX0FfUzgYegby7tH7mILj7t2JqWJSHMyK2tY=;
	b=Y/bpr70Etm2PtPmS3kkIiPunzihGog7o42w/40U6LGUSkcNeUhzbq6P7aAUSSgoWsvvWCp
	sdy8vItFxuYn6eFKyFNzXZcDmsSb95yZ3eUXjjyHnKikgLGGmaUNmLH1aJJE4SyngdAqC/
	Fck30QqUdX0y7YUpM5pA1n0dEfzSrMap9jZwtHZ8NBA3R8WqoV4pxpNRDl6ANFNWO98VRw
	i97/Ch/W6DKwTDGV30cRgy9h7EdSwUSjgEruyCT0tWXj56wDfcNOQsGtLLlCRZHMn+aGtl
	CHTgH2rXtYB9bqnpnHYrIERSUShgSoaFWxTY6UDWJhXsOyftLXUmqnhehqSlvA==
ARC-Authentication-Results: i=1;
	rspamd-849d547c58-h9njv;
	auth=pass smtp.auth=a2hosting
 smtp.mailfrom=php-internals_nospam@adviesenzo.nl
X-Sender-Id: a2hosting|x-authuser|juliette@adviesenzo.nl
X-MC-Relay: Neutral
X-MailChannels-SenderId: a2hosting|x-authuser|juliette@adviesenzo.nl
X-MailChannels-Auth-Id: a2hosting
X-Belong-Inform: 532a326857804f22_1692039886710_3290197795
X-MC-Loop-Signature: 1692039886710:2079692684
X-MC-Ingress-Time: 1692039886710
Received: from nl1-ss105.a2hosting.com (nl1-ss105.a2hosting.com
 [85.187.142.69])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
	by 100.126.6.75 (trex/6.9.1);
	Mon, 14 Aug 2023 19:04:46 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=adviesenzo.nl; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date:
	Message-ID:From:References:To:Subject:Sender:Reply-To:Cc:
	Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
	List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=zOiaFj5BX0FfUzgYegby7tH7mILj7t2JqWJSHMyK2tY=; b=tza502vj+XGbW/WUb4IyUpZ3ac
	1SUJqvgRlz2HjdtpWfXy+zhW0Xv1pRWFFeEBahjbgEo/vEUtCjlLVDfYuSo1Xy5NvQtPuZ3yNJANb
	zOK7GTP9Llven4sPFcYpGTIM5fosBc+vEUrqCYhlbuVH9U2P2kJ3U+ljvqgWiI8jNguQ=;
Received: from [143.178.154.86] (port=51298 helo=[192.168.1.16])
	by nl1-ss105.a2hosting.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <php-internals_nospam@adviesenzo.nl>)
	id 1qVcrt-00Gdpz-0J
	for internals@lists.php.net;
	Mon, 14 Aug 2023 21:04:44 +0200
To: internals@lists.php.net
References: <CAFPFaMLBZixUFa=7=9Gxj60D=4QyfSpF9se-U+6CRoShzCrFrA@mail.gmail.com>
Message-ID: <64DA7ACC.1050909@adviesenzo.nl>
Date: Mon, 14 Aug 2023 21:04:44 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <CAFPFaMLBZixUFa=7=9Gxj60D=4QyfSpF9se-U+6CRoShzCrFrA@mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------040506050206030208000709"
X-AuthUser: juliette@adviesenzo.nl
Subject: Re: [PHP-DEV] Removing support for the disable_classes INI setting
From: php-internals_nospam@adviesenzo.nl (Juliette Reinders Folmer)

--------------040506050206030208000709
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

On 14-8-2023 16:17, G. P. B. wrote:
> Hello internals,
>
> While working on some DNF type bugs, I discovered some major issues around
> the disable_classes INI setting implementation. Such as:
>
> - A double-free of the type of a typed property
> - A use after free (which segfaults) when trying to access a property
> defined on a disabled class that was extended (e.g. disabling Exception)
> - A use after free when var_dumping a disabled class that has its own
> handler (as it will assume properties to be allocated)
> - And likely more considering the lack of tests surrounding this feature
>
> This feature seems of dubious nature, and the only justification given when
> adding support for this in the changelog of PHP 4.3.2 is:
>
> New "disable_classes" php.ini option to allow administrators to disable
> certain classes for security reasons. [1]
>
> However, only classes defined by extensions can be disabled, and such a
> class is critical for the correct operation of said extension.
> As such, what one should do for security reasons is to not enable the
> extension in the first place.
>
> Moreover, compared to the behaviour of disable_functions which, as of PHP
> 8.0, removes the function declaration completely, disable_classes does not
> remove the declaration of the class, but just "overloads" the object
> creation process to not initialize the object and emit a warning.
> Meaning, it is totally valid to instantiate a disabled class and pass it
> around to functions for them to blow up when they try to use the object as
> intended.
>
> Considering the major flaws in the implementation of said feature, the
> dubious nature of it, and the seeming lack of usage of it (considering none
> of the above breaking bugs have been reported).
> I would like to remove this feature in PHP 8.3, even though I know we are
> past feature freeze and close to the first RC.
>
> I have CCed the RMs for 8.3, and would like the opinion of other people on
> if this removal makes sense to the majority of people
>
> Sincerely,
>
> George P. Banyard
>
> [1] https://externals.io/message/2076
>

Hi George,

For what its worth: in my experience, the `disable_classes` and 
`disable_functions` ini directives are mostly used by hosting companies 
providing shared/virtual host environments and, most often for those 
environments, not editable by their users via a control panel or nor do 
these users have (edit) access to the php.ini file.

Declaring an ini directive in the php.ini file which has been removed 
will instantly cause a fatal error on starting PHP, so I wonder what the 
impact will be when a user switches PHP version (which they often can 
choose to do via a control panel).

Hosts should (of course) know what they are doing and this should be 
handled when the user initiates the PHP version switch, but if hosts 
knew what they were doing, they would make the extension unavailable (as 
you already suggested above), so I wonder how many shared hosting users 
will run into trouble if this is removed without deprecation period.... ?

Would deprecating it in PHP 8.3 and removing it in PHP 9.0 be an option ?

As for the lack of bug reports - the typical type of end users using 
those hosts will not know to report these type of issues to PHP (or even 
be able to properly identify the issue). Instead they will complain 
extensively to whatever open source project (read: WordPress) they are 
running on the shared hosting without providing enough information for 
the open source maintainers to even begin to identify the actual 
issue... ;-)

Just my two cents.

Smile,
Juliette


--------------040506050206030208000709--