Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121603 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 3557 invoked from network); 7 Nov 2023 10:33:43 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 7 Nov 2023 10:33:43 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 952931804D0 for ; Tue, 7 Nov 2023 02:33:42 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com [209.85.218.49]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 7 Nov 2023 02:33:42 -0800 (PST) Received: by mail-ej1-f49.google.com with SMTP id a640c23a62f3a-9ae2cc4d17eso856166066b.1 for ; Tue, 07 Nov 2023 02:33:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sonarsource.com; s=google; t=1699353220; x=1699958020; darn=lists.php.net; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=TemsIL8TtGtEz375mmwNNJrvRSaGFRcdO1stKWWUQPY=; b=a8mW28NNhdJlkBCEAcjmZ+RGLuYibnAbCVsGVBGYadbVtWG83Za2LCh5mLbsdaNoD2 QBbubn5GuZ9PMiqzvId6y2uAxNq0t/fdQC8igS9zTtWQBbqj/1CikRBagFb+XIU4G9K7 uAAdjd6Q3xYGDPZ8meZstHsJkR+JwxY8YPhosthxiMPn1wQloiDx6ON7yz0WigU9HWA/ 5eei0G0VL2nAapApS+RqO+4dv/hyCJ+ufaJVYpN2S7IVrqKJ3AbbLs1bOJ9EFIL16gAK ygiYtsPVr5Iv0W666cDRSLisKrv2ueBA4G2+5tiKmw8gmQrbwlWgcA8MhdKi8UXLagqF MhyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699353220; x=1699958020; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=TemsIL8TtGtEz375mmwNNJrvRSaGFRcdO1stKWWUQPY=; b=t2lBzOp5vmuLwBIs2E7Q0DABkQm5El0SWGkfL/S1a3PsqSmWRAS1NX1yQ7K6Z7+Lxu uagRggcoVByNg7F5+Bl992WdzGfcFke1HQuzvPUzKUTYes0OgXtuodixqfn7JtboyQ3d +M/u1SscuCNG9gezgLIEglaWaosY6x9LR+Lg3AJitGmylJJ7/SEFY4W1VLBx72OuYR3e AHSv01B4b7qOjP0fALQWE7emKe+EWr+Bwa13WN5LTNBnS0CzpnubFXfKYqUDh02r42BV k2VofEHhB5jZhX+EJdK3BrF8B52EZd52vlr5ITMuyslpEZo+osYhxv59oL3COAoPVxt4 9pEg== X-Gm-Message-State: AOJu0Yxay+vVr6GfS3enMSsxZPAqcB4mtOmbBdkVpG7tdwFAFD8l3bzo OY69Qc5B63UmgWD/zBxYvYD7GWiQZvWpBXxqLH5F8to85TfXBWr7RROnWTle X-Google-Smtp-Source: AGHT+IFxA+CarxSTvFqamZMRuR2MQi94k1heCL1VY3X2UsN3Q0oPBJTVHVICO/WkL4Cl4xAIiHtnQPSvWA2o4+alLu8= X-Received: by 2002:a17:906:fd89:b0:9cd:26e9:a8ae with SMTP id xa9-20020a170906fd8900b009cd26e9a8aemr17776112ejb.42.1699353220647; Tue, 07 Nov 2023 02:33:40 -0800 (PST) MIME-Version: 1.0 Reply-To: Thomas Chauchefoin Date: Tue, 7 Nov 2023 11:33:04 +0100 Message-ID: To: internals@lists.php.net Content-Type: text/plain; charset="UTF-8" Subject: Set register_argc_argv to Off by default From: internals@lists.php.net ("Thomas Chauchefoin via internals") Hey, I recently opened an issue on GitHub [1] to discuss setting register_argc_argv to Off by default for all SAPIs but cli, embed, and phpdbg. Ilija Tovilo suggested including this change in 8.4.0. Even though most downstream distributions already turn it off, that's not the case everywhere. For instance, the official Docker image has it on [2]. Outside of performance reasons, this also has a security impact because it eases the exploitation of limited LFI bugs [3] and CLI tools stored under the web root [4]. -Thomas [1]: https://github.com/php/php-src/issues/12344 [2]: https://hub.docker.com/_/php [3]: https://www.youtube.com/watch?v=yq2rq50IMSQ [4]: https://github.com/advisories/GHSA-jm6m-4632-36hf