Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121608 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 24450 invoked from network); 7 Nov 2023 15:48:45 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 7 Nov 2023 15:48:45 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 456FE180503 for ; Tue, 7 Nov 2023 07:48:45 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 7 Nov 2023 07:48:44 -0800 (PST) Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-28023eadc70so4849510a91.2 for ; Tue, 07 Nov 2023 07:48:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699372123; x=1699976923; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BdRg9UoHmTzRFpOW/rOzpTqB933fgtI1vhRynoBPqSU=; b=XRuM9d2uqyqsie2E4Mz9KNdgLzBFIuT53V6okKY489NdoSajKXPGj1bFV+53X+scjJ EFOHrQ+t0psxpQjPcikAShAQs5AG1ASLcj5a9pz4GeR3cWXbOwARUpi1shq9U3CXPiD0 gN3PekwmNKfkEaXIV5fJ19uKgOvpbNIXEsyFDBEeu8pNAVfROA94cG+TR89bijuNjMkc YrYKe4GmkR3vO/lCZuSmDjZNpuAzlYcEp/fZhiXHQJC7MPv8ZKqLo5Ug985ZlNc+VCF4 va4JLMKceqE+dOCY8o8dncWQXHJaHoFMXNE0nRXX43K/BOz50ayt8Zr5QrTbl5DCWNg+ 9l5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699372123; x=1699976923; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BdRg9UoHmTzRFpOW/rOzpTqB933fgtI1vhRynoBPqSU=; b=UCAN4nSLU9UE12bqU22FnWHnbOagWAR6Y1POrDasbAv4vJSby1yzU9uwzFRvfAl9bx XKGIbVtOkLYOh2dgEnZUUjaqtz5BtX5NK0lLmmM6UAmXH4gKn9J0BvvolbDzcZz7PEA+ 8gfunS0v3zHWevvEONIO/b3EQthu1ojQU1Y67mNzCxW5OTQqBlL7IJjMRHKEfkyu7VDC TT1P2Jr0M3QdQVp+2hBKSG9D2Csq5xyYOXcqdZmXSAoFAYqKsPHbbXSdeD3Xbtb75fU7 fwEFKTb67164iV68cAlUNszoeM18IMUycv6G38TvHWrKLSGsWTSajF7QrN+4aQEoFl/M OQTA== X-Gm-Message-State: AOJu0Yw1QnfmybxRbNXkCh3cE9vk+5LuTYFy0tIkK6rgPGcyuhICcbeX 6PbVpfVuRKwDMc8CWpQBBSeo+nW7+W945fpj7d8= X-Google-Smtp-Source: AGHT+IG2O7RMdSqQ7+Iruo9ijDePt2gsXaZBPfswe4uNHkP05y3lixNyYHBkbNC/9YR6P1qBLEU1lvecMvnYdMO5bsQ= X-Received: by 2002:a17:90a:d248:b0:280:cd5f:bf90 with SMTP id o8-20020a17090ad24800b00280cd5fbf90mr14058801pjw.23.1699372123456; Tue, 07 Nov 2023 07:48:43 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 7 Nov 2023 15:48:32 +0000 Message-ID: To: Thomas Chauchefoin Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary="000000000000c28d56060991e7e4" Subject: Re: [PHP-DEV] Set register_argc_argv to Off by default From: george.banyard@gmail.com ("G. P. B.") --000000000000c28d56060991e7e4 Content-Type: text/plain; charset="UTF-8" On Tue, 7 Nov 2023 at 10:33, Thomas Chauchefoin via internals < internals@lists.php.net> wrote: > Hey, > > I recently opened an issue on GitHub [1] to discuss setting > register_argc_argv to Off by default for all SAPIs but cli, embed, and > phpdbg. Ilija Tovilo suggested including this change in 8.4.0. > > Even though most downstream distributions already turn it off, that's > not the case everywhere. For instance, the official Docker image has > it on [2]. Outside of performance reasons, this also has a security > impact because it eases the exploitation of limited LFI bugs [3] and > CLI tools stored under the web root [4]. > > -Thomas > > [1]: https://github.com/php/php-src/issues/12344 > [2]: https://hub.docker.com/_/php > [3]: https://www.youtube.com/watch?v=yq2rq50IMSQ > [4]: https://github.com/advisories/GHSA-jm6m-4632-36hf > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > This sounds sensible to me. Best regards, Gina/George P. Banyard --000000000000c28d56060991e7e4--