Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:125092
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 872961A00BD
	for <internals@lists.php.net>; Wed, 21 Aug 2024 18:11:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1724263975; bh=jrQDdD+HL3nUC3c1UFTgyGjAVf+GSn0ODkan9oRIwD4=;
	h=References:In-Reply-To:From:Date:Subject:To:From;
	b=HALM1+YGiPCUME7bBklzbwdbRFrTtvbo4+KJRJBYJoe9aUoMN8Vchg323d7OAmiXa
	 lP5rYfnG4VYzP9rG2SiINpcsifwyERRKa6c2ATel6MGqI+q3A7vJFZwIDW4zZ0UKaK
	 4yAm8zGMz8eHdXfN/WZKdJKYBNUfyj5xWbRRBtL/NFMjnhqkilVIyvyJ0SXK7OXeqX
	 qpO2O/uJyIMciDwwtEostpMmp+E+3W+Yq5hwfYax7kIJRyfBudVS1aVqa+ZKnItbgB
	 NLfFSD7dYTFu+zylBCLQMWRrrtr/QfznciNkL3b1ST3wpdEdGyPkxLRShnDXtYmW7K
	 V6Yvzzh1qFrhg==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 93679180069
	for <internals@lists.php.net>; Wed, 21 Aug 2024 18:12:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <tovilo.ilija@gmail.com>
Received: from mail-oo1-f48.google.com (mail-oo1-f48.google.com [209.85.161.48])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 21 Aug 2024 18:12:52 +0000 (UTC)
Received: by mail-oo1-f48.google.com with SMTP id 006d021491bc7-5d5d077c60aso9723eaf.1
        for <internals@lists.php.net>; Wed, 21 Aug 2024 11:11:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1724263861; x=1724868661; darn=lists.php.net;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=bHNsD2kdU0dAqZu+Nbi56JdCCsP73Ln/id9rFvURtaQ=;
        b=IomIpPExUsUtaEPFYz43a8YSIkLeQGid6ppxpjZPvAp1ObHxIR1xbl6Nr0jdlt2/jL
         IAA9eX7NolXlNOacl24La6lYGhqHtNitcp6kJ51m8t6ARRXvfsT7t1sF+rzHL6WLW+P0
         61gInqUQeUoMf9uHUs3xnZGgxD9eljc6RW/UohF8UHlKBe0fatsJPTHnsULZBnfu9vSf
         yrV3zIANOngadxbcNmvsjTA66215E+xvMACeje62aIDJ7B98HK5C2RZiyF2VjDZzQmou
         7T0X3d3of/FXwY+gt8bEX75NKuJs34fYjRs4yD3YIfHvZmzCtCKYzLJz9oiO9SvwoRIZ
         E2tQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724263861; x=1724868661;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=bHNsD2kdU0dAqZu+Nbi56JdCCsP73Ln/id9rFvURtaQ=;
        b=Tbml/ppiXPs5KDibp25ZspKmLm+cGEMUGYyCPn0HkGExybuVY2MrFFKwerdRFhbPbZ
         jy9l0n4Ppwec5zKX8vSwa6Sk30j9zgwPlhnPa4uiVQb1fremCbDKX65AsrDxfwaB/tLs
         3jejxwPnZjPNdQ9e9l6j5/rjKsM88KB1ygZPdne7jL73YztrYsiPwtnOl8lNN39R9/5K
         aeVf8KsXmeTsJvr1Z52FhkEZWwl8dwGKaYx6WKY2pUuFfoozBzGpXqiyI3eYzCyZpPkO
         kIR5v/lA8JffuutDec280kdS0pGgyPF98wwsyfefsrv77gRVLfQplcfcDIc7TBi54n7Z
         NLAQ==
X-Gm-Message-State: AOJu0Yz871ziSiT6sRAonJAtkvyk5Ko7JJoNPptok44Wn7vQQrdwYq14
	dD2hiA5xA96wvUG9xbzsdg+EFPrB/zAJheYiWDQLame02F8PaJmUe8qskVO8C3QKMmh/+pqwZ3L
	nz8JQQZhPVKgbQ3B2ZPGdSGkAI9lcGxy3OSE=
X-Google-Smtp-Source: AGHT+IH8PNZRCSdeKYMsuGJyt6aZD2CoU5/AE3jVEzPPFlbyDw1Atq203CE+5+3qvruy8Y8K/3B5MwbCbluSQD+AETU=
X-Received: by 2002:a05:6358:3418:b0:1af:15b5:7ca0 with SMTP id
 e5c5f4694b2df-1b5a265b413mr341932755d.6.1724263861173; Wed, 21 Aug 2024
 11:11:01 -0700 (PDT)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
References: <c0058f34-063c-4610-a3aa-6bc3f328e229@app.fastmail.com> <66592B01-1A40-4FCD-8FEE-8EB8338069D0@getmailspring.com>
In-Reply-To: <66592B01-1A40-4FCD-8FEE-8EB8338069D0@getmailspring.com>
Date: Wed, 21 Aug 2024 20:10:50 +0200
Message-ID: <CAPyj-LB+7AjEXuG4YYX6HhuzxhS-chM7bz8Nwa5cM5TA1HYaRA@mail.gmail.com>
Subject: Re: [PHP-DEV] [Concept] Flip relative function lookup order (global,
 then local)
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
From: tovilo.ilija@gmail.com (Ilija Tovilo)

Hi John

On Wed, Aug 21, 2024 at 8:02=E2=80=AFPM John Coggeshall <john@coggeshall.or=
g> wrote:
>
> This is an attack vector for every application and I would argue should b=
e a real concern for the vast majority of applications  out there -- any wh=
ich rely on namespace-based frameworks and composer packages from untrustwo=
rthy sources. It's not just Wordpress -- literally every single PHP applica=
tion that uses a publicly available framework and consumes external compose=
r packages should be FQing their internal function calls. The natural behav=
ior of the language shouldn't be the insecure way of doing things for the s=
ake of maintaining BC compatibility with existing, insecure, code.

Including a malicious composer package already allows for arbitrary
code execution, do you really need more than that?

Ilija