Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:125086
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
by qa.php.net (Postfix) with ESMTPS id 57F1E1A00BD
for <internals@lists.php.net>; Wed, 21 Aug 2024 08:23:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
t=1724228707; bh=fc95XWK+1k8Q8aixE/62LW+NxoRI5D57NsdEguAhnXA=;
h=Date:From:To:Cc:In-Reply-To:References:Subject:From;
b=mcFcUtZX+F9LWbQzNCi9aBNlBdwzd8CtbYpV6w5iQukafmZCiHjPtqVReMtYKSbfb
ojOPrQI5fgDJ3MeoBqB/F7RTVsBwy/CZ1E1etYsYKp86oVlwqiE+8zDSzOnW+k9MC4
kwjaai5K976iReOm1MQ12phxiZ+qIrcg380uMwZSc/eZqH8y948qP/Sxhchu6AiSn4
mge1aQAeRzEWESwlLqRMovCPHa986cZ+RxtnwO4Q37zRyeZY8zSbo/5QKkzCYnU3ma
E7KsQFpIwceMDq5s+K3MrnbkD9mhOMJjX8AbhwVYClUxLkA9r8lj+CjXTHLTTVIT7W
nSfkJ5l6TI1GA==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
by php-smtp4.php.net (Postfix) with ESMTP id D1A5F180052
for <internals@lists.php.net>; Wed, 21 Aug 2024 08:25:06 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: ****
X-Spam-Status: No, score=4.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
DKIM_VALID,DMARC_MISSING,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,
RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,RCVD_IN_SBL_CSS,SPF_HELO_NONE,
SPF_NONE autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <john@coggenterprises.com>
Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com [209.85.219.178])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by php-smtp4.php.net (Postfix) with ESMTPS
for <internals@lists.php.net>; Wed, 21 Aug 2024 08:25:06 +0000 (UTC)
Received: by mail-yb1-f178.google.com with SMTP id 3f1490d57ef6-e1205de17aaso5281253276.2
for <internals@lists.php.net>; Wed, 21 Aug 2024 01:23:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=coggenterprises-com.20230601.gappssmtp.com; s=20230601; t=1724228596; x=1724833396; darn=lists.php.net;
h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
:date:from:to:cc:subject:date:message-id:reply-to;
bh=fc95XWK+1k8Q8aixE/62LW+NxoRI5D57NsdEguAhnXA=;
b=C2q0meIkO6D4ZsqiObczRO8HNrhDEqgHm7sVrs4A/4PmQxYvvO8wtw+DodTZAinCPH
vrj9BafhV2LT1eAjE6n6T7ur3J/i/+jj8fzZeruV/wJX3UxipL1GIGK+/zmPdj+q0dUB
mMehZ4wq7dsP3AxKbKxsz0dDbi12UKzI38Da+5zrbUhYPs7Ab501BZtV5Z7oXB2yZ4ko
Iq7mtQvX5J/KKYVYXExsnp43hfDRnDIUM23GOQduQl6pB30wsoVNfiw+udkoLEhvliLi
E2YBlpvPa5MoHv9QbzHEB/YDa5JEwo0gOJrH+MkyOcgvrPIxv34IFhSDDd9HJJghDChm
IwDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1724228596; x=1724833396;
h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
:date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=fc95XWK+1k8Q8aixE/62LW+NxoRI5D57NsdEguAhnXA=;
b=BBk0FpdXAodLMhHS5klyHv5uH36o4G7PMSAjKwZ3DrRdX+4/mUHH7R4gcRQVd6BHMX
Js7nIpy6te8NGcRuW64nNW7zbruPDfwG5lhsPWOQmZq1giCXnH3PHy8uUryJEhwUtTzP
R9SGXizFrKfnZyxxJLr7ao0BQfmez/LMbLRQy5Me3jwItvgF+muwZiO6s0MtSCTUuzT4
VOB3RUeyaDMysJiKjUtYtRFjsIRDbztKpkkcQ9VOx00dZODRqQsA9gj37M6g7p2JqWTu
UfH/6JNiaCOPZwdyG4FmWBZ/qTgqBDHz4yZsf5oqSO6SIC8X2ycbkhuAW06gc47YgOmZ
lGxQ==
X-Gm-Message-State: AOJu0Yxf0oxoYlcu9Ak1tv18V7EJFSuHOk1DYrLZxrG6m2iIiz61lvpS
g1tMeJL+ElSeM9mraqTEUIjcrd16p7ig1FNNPn4IMjiTQwe8ruLm0NNgel3sPg3QvemHWTZdo92
N
X-Google-Smtp-Source: AGHT+IFS/bxHAAVTD5JGOAOOU034aOHa12Gh8tXf31AgaQ2t6jpjhYNJGCx9oYh90ep7n8z4HakIyw==
X-Received: by 2002:a05:690c:1d:b0:61a:e4ef:51d with SMTP id 00721157ae682-6c09bafc613mr23380607b3.9.1724228595777;
Wed, 21 Aug 2024 01:23:15 -0700 (PDT)
Received: from Johns-MacBook-Pro-2.local ([207.213.210.67])
by smtp.gmail.com with ESMTPSA id 00721157ae682-6af99fa3b33sm21783897b3.49.2024.08.21.01.23.14
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Wed, 21 Aug 2024 01:23:14 -0700 (PDT)
Date: Wed, 21 Aug 2024 04:23:13 -0400
To: Bilge <bilge@scriptfusion.com>
Cc: "=?utf-8?Q?internals=40lists.php.net?=" <internals@lists.php.net>
Message-ID: <7E80614A-63CF-4515-9DF1-C6869218F864@getmailspring.com>
In-Reply-To: <48c22449-6cdf-449f-917f-365506e3f2d0@scriptfusion.com>
References: <48c22449-6cdf-449f-917f-365506e3f2d0@scriptfusion.com>
Subject: Re: [PHP-DEV] [Concept] Flip relative function lookup order
(global, then local)
X-Mailer: Mailspring
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="66c5a3f1_66334873_f01f"
From: john@coggeshall.org (John Coggeshall)
--66c5a3f1_66334873_f01f
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On Aug 2 2024, at 4:37 pm, Bilge <bilge@scriptfusion.com> wrote:
> My only concern is there needs to be an alternative way to do this: intercepting internal calls. Sometimes, whether due to poor architecture or otherwise, we just need to be able to replace an internal function call. One example I can think of recently is where I had to replace `header()` with a void function in tests, just to stop some legacy code emitting headers before the main framework kicked in, then unable to emit its own response because HTTP headers had already been sent. In a perfect world it shouldn't be necessary, but sometimes it is, so I think for this proposal to be palpable there must still be a way to achieve this.
>
Just a tangent thought to the above, but I've always been a little concerned with the idea that a malicious composer package could potentially do nasty things because PHP looks at the local namespace first for functions. For example, if a composer package focused on Laravel that defines malicious versions of internal functions for common namespaces like App\Models , App\Http\Controllers , etc. it could do some nasty stuff -- and supply-chain attacks aren't exactly uncommon. Even worse is Wordpress or any other PHP-based software package that allows arbitrary plugins to be installed by non-technical users who really would have no idea if the package was safe even if they were looking at the code.
<?php
// something.php
namespace App\Models;
function password_hash(string $password, string|int|null $algo, array $options = []): string
{
print("Hello");
return $password;
}
<?php
// my code
namespace App\Models;
include "something.php";
password_hash('foobar', PASSWORD_DEFAULT);
I don't recall why local namespace first won, but IMO it wasn't a great call out the gate for that reason alone. Yes, you can always use \password_hash instead of password_hash , but making the default insecure and slower is silly IMO -- and not fixing it because of BC seems like the weaker argument here.
John
--66c5a3f1_66334873_f01f
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<br><br><div class=3D=22gmail=5Fquote=5Fattribution=22>On Aug 2 2024, at =
4:37 pm, Bilge <bilge=40scriptfusion.com> wrote:</div><blockquote><=
div class=3D=22moz-cite-prefix=22><div>My only concern is there needs to =
be an alternative way to do this: intercepting internal calls. Sometimes,=
whether due to poor architecture or otherwise, we just need to be able t=
o replace an internal function call. One example I can think of recently =
is where I had to replace =60header()=60 with a void function in tests, j=
ust to stop some legacy code emitting headers before the main framework k=
icked in, then unable to emit its own response because HTTP headers had a=
lready been sent. In a perfect world it shouldn't be necessary, but somet=
imes it is, so I think for this proposal to be palpable there must still =
be a way to achieve this.</div></div></blockquote><br><div>Just a tangent=
thought to the above, but I've always been a little concerned with the i=
dea that a malicious composer package could potentially do nasty things b=
ecause PHP looks at the local namespace first for functions. =46or exampl=
e, if a composer package focused on Laravel that defines malicious versio=
ns of internal functions for common namespaces like <code>App=5CModels</c=
ode> , <code>App=5CHttp=5CControllers</code> , etc. it could do=
some nasty stuff -- and supply-chain attacks aren't exactly uncommon.&nb=
sp; Even worse is Wordpress or any other PHP-based software package that =
allows arbitrary plugins to be installed by non-technical users who reall=
y would have no idea if the package was safe even if they were looking at=
the code.</div><br><div><=3Fphp</div><div>// something.php</div><div>=
namespace App=5CModels;</div><br><div>function password=5Fhash(string =24=
password, string=7Cint=7Cnull =24algo, array =24options =3D =5B=5D): stri=
ng</div><div>=7B</div><div> print(=22Hello=22);</div><div>&nb=
sp; return =24password;</div><div>=7D</div><br><div><=3Fphp</div=
><div>// my code</div><div>namespace App=5CModels;</div><br><div>include =
=22something.php=22;</div><br><div>password=5Fhash('foobar', PASSWORD=5FD=
E=46AULT);</div><br><div>I don't recall why local namespace first won, bu=
t IMO it wasn't a great call out the gate for that reason alone. Ye=
s, you can always use <code>=5Cpassword=5Fhash</code> instead of <c=
ode>password=5Fhash</code> , but making the default insecure and slo=
wer is silly IMO -- and not fixing it because of BC seems like the weaker=
argument here.</div><br><div>John</div><br>
--66c5a3f1_66334873_f01f--