Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:125091
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id BADA71A00BD
	for <internals@lists.php.net>; Wed, 21 Aug 2024 18:02:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1724263445; bh=XPzHkdPfRNvcBlXZsfahiS2apmN3CdOelH7YUbUI6HE=;
	h=Date:From:To:Cc:In-Reply-To:References:Subject:From;
	b=I3aeWWJzI6akcgeWsdhkLA7BieRo9fSMz+PQ1de1Tezu1jsZO21l5JQglGoFt1+8y
	 iq3naih7VaTxPfL2C7JOp4jNUIepGLmLm4W5raBB//km6l6f/8NazQP8jwKpruVmqX
	 VEpmapBhDQ3V7fEoHCELXbAJrBEeaYP0Crzevv4e94SPbJu0QOWMnFeae6M7QPBqrn
	 QGTr3LxlGgw+aBClXTp3zmXp1u+8KYU3sVAq+4mhZVocVtu/v0nMIkXn/Cm716X7MD
	 ig3GrHAlb6BcNSfkXtFoET5P5Ezysw7rUqqrBYfmJpGNLCFIWx+1hxcoYkImmxpPK9
	 SDTEWXFpLcLQQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id A77B5180034
	for <internals@lists.php.net>; Wed, 21 Aug 2024 18:04:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: ****
X-Spam-Status: No, score=4.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DMARC_MISSING,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,RCVD_IN_SBL_CSS,SPF_HELO_NONE,
	SPF_NONE autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <john@coggenterprises.com>
Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 21 Aug 2024 18:04:04 +0000 (UTC)
Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-6b6b9867f81so95247b3.1
        for <internals@lists.php.net>; Wed, 21 Aug 2024 11:02:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=coggenterprises-com.20230601.gappssmtp.com; s=20230601; t=1724263333; x=1724868133; darn=lists.php.net;
        h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=XPzHkdPfRNvcBlXZsfahiS2apmN3CdOelH7YUbUI6HE=;
        b=xSRW8oiMbCqBmBf0zMBxucqHsoPTEgr+iMOSaf6xwKIixgjL91ln9H0nOGI6pYQ9qA
         xM4nI5e+ZypKO6J+9FcrNftlKq6b8K9FIYfkgIDVUCIZCCCHVkS56ZlEkBdGS+3BwfQp
         ki4V2kw/sWF6rgT5KKPfprAjeICKhaDKtMFqHB8IVqnmHCGD0zF9LUv2FEKh4ZG65enx
         WI1CtSpCie3yU0VEqhJC4UOoj9VLdvuol6eC/nwSABMI/xClAvJsqQALWU1tuQ+mRxq6
         T6cuOvhqlTTbXLJBu5m+MrXh2lEFy0ZHPSAOtAsp3IHgspQcRp48p6/UG5spWL+miS5z
         LAUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724263333; x=1724868133;
        h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=XPzHkdPfRNvcBlXZsfahiS2apmN3CdOelH7YUbUI6HE=;
        b=jA2+ph+dbYOxSFMyC8beIS1B0LOOZIZjc0pOlVURmeV2sdquc9+7+ctruhGiIpHVTE
         tu309SQ/EiSekdUPJkrJ4EOL6hiIWBh8C1yJKMFnMtxq4oSvMmdIdbf9AFtu/F2rGb/8
         J0j50lsDqJBz9xwkKFv+uQwYqGfj5whVWVtHmFzqAXSaivbY1vYAO3JxVEkpUxtTsG9i
         TUDBEDeKA2jyJ06k0WkC6Hab63I3zy8cLC6tr6IqZwaprAh7dqR6/FtWBJybIA0t+uPH
         9CZ9Umal4Ddd9J16vYMxnKvd+FJObzM53DuMzsdH54CbnlvGJydLLtEH+/Mi3IGLXJrS
         aJeA==
X-Forwarded-Encrypted: i=1; AJvYcCVwnOTHhnbnzC5yZA7r07O4QDz0s2HgrMstsucze447zOOh2SL9NC/W85/neOrRYwcfAx0zVY+Al04=@lists.php.net
X-Gm-Message-State: AOJu0YwtJxYAC3mCHxUBNcaBDT1Q21wXKrTPHDKpr5hDCY5G8CHypTo5
	2RFLawN/mgjMHEhy+Y0n+8GkbPE6cKVvBrETCu0zZIfjGYuH5xDy4GKXJdLKlXeM44MblyqOERE
	t
X-Google-Smtp-Source: AGHT+IHEHyQNYKmL2TKB7MKlMHN2PymjEREFBnTJeBYbgh5o/Or2CDO++vXm2lg8qkZMxvfwHhyA4g==
X-Received: by 2002:a05:690c:f93:b0:6b0:7203:f0ed with SMTP id 00721157ae682-6c0faba1b63mr32849577b3.20.1724263333240;
        Wed, 21 Aug 2024 11:02:13 -0700 (PDT)
Received: from Johns-MacBook-Pro-2.local ([207.213.210.67])
        by smtp.gmail.com with ESMTPSA id 00721157ae682-6af99fa3ad4sm23282407b3.37.2024.08.21.11.02.12
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 21 Aug 2024 11:02:12 -0700 (PDT)
Date: Wed, 21 Aug 2024 14:02:11 -0400
To: Rob Landers <rob@bottled.codes>
Cc: Bilge <bilge@scriptfusion.com>, 
 "=?utf-8?Q?internals=40lists.php.net?=" <internals@lists.php.net>
Message-ID: <66592B01-1A40-4FCD-8FEE-8EB8338069D0@getmailspring.com>
In-Reply-To: <c0058f34-063c-4610-a3aa-6bc3f328e229@app.fastmail.com>
References: <c0058f34-063c-4610-a3aa-6bc3f328e229@app.fastmail.com>
Subject: Re: [PHP-DEV] [Concept] Flip relative function lookup order
 (global, then local)
X-Mailer: Mailspring
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="66c62ba3_625558ec_f01f"
From: john@coggeshall.org (John Coggeshall)

--66c62ba3_625558ec_f01f
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline



On Aug 21 2024, at 8:03 am, Rob Landers <rob@bottled.codes> wrote:
>
> If this is an attack vector for your application, then fully qualified names is the way to go (WordPress does this nearly everywhere, for example).
This is an attack vector for every application and I would argue should be a real concern for the vast majority of applications out there -- any which rely on namespace-based frameworks and composer packages from untrustworthy sources. It's not just Wordpress -- literally every single PHP application that uses a publicly available framework and consumes external composer packages should be FQing their internal function calls. The natural behavior of the language shouldn't be the insecure way of doing things for the sake of maintaining BC compatibility with existing, insecure, code.
Cheers,
John
--66c62ba3_625558ec_f01f
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<br><br><div class=3D=22gmail=5Fquote=5Fattribution=22>On Aug 21 2024, at=
 8:03 am, Rob Landers &lt;rob=40bottled.codes&gt; wrote:</div><blockquote=
><br><div>If this is an attack vector for your application, then fully qu=
alified names is the way to go (WordPress does this nearly everywhere, fo=
r example).</div></blockquote><br><div>This is an attack vector for <stro=
ng>every</strong>&nbsp;application and I would argue should be a real con=
cern for the vast majority of applications&nbsp; out there -- any which r=
ely on namespace-based frameworks and composer packages from untrustworth=
y sources. It's not just Wordpress -- literally every single PHP applicat=
ion that uses a publicly available framework and consumes external compos=
er packages should be =46Qing their internal function calls. The natural =
behavior of the language shouldn't be the insecure way of doing things fo=
r the sake of maintaining BC compatibility with existing, insecure, code.=
</div><br><div>Cheers,</div><br><div>John</div>
--66c62ba3_625558ec_f01f--