Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:125094
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id ADE541A00BD
	for <internals@lists.php.net>; Wed, 21 Aug 2024 18:32:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1724265288; bh=e2HBSFCKEpUnVKaywmaijIJiOszMAjcDTNOrukDTUSY=;
	h=Date:From:To:Cc:In-Reply-To:References:Subject:From;
	b=EeEgcsZc+1zdjG7AiDMlFCjCKm/LQ8i2z+wxKa8CnFHbib4FE1xkHPfeKcLlCbj5U
	 zVBL5L9lB5vgOqE1m6cHuZTI4LwUr0LReHQA2W17GMrLGF5cUZ5rh7ZqKfBEKdDhAw
	 402dUiiHOGEShZOd86vFkj6/nvrxqd/6BWHAkt/oI2SRigqmslEGsQGB7IRlNE5BYE
	 tKTNs2gBLAb/lkPW2usoLbWvvkccToh9/X1ECd/ZaVQrh3ooYK+CbFMP8s+fqse5IJ
	 rwLaqgI/bJMNYssOMRQGoV2nAeau57BOO/ZLPoa4DehAEcIotFEk4Ocjxa4UqBbRKM
	 JaayNMQnDnRMw==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id E7980180052
	for <internals@lists.php.net>; Wed, 21 Aug 2024 18:34:47 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: ****
X-Spam-Status: No, score=4.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DMARC_MISSING,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,
	SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <john@coggenterprises.com>
Received: from mail-ot1-f46.google.com (mail-ot1-f46.google.com [209.85.210.46])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 21 Aug 2024 18:34:47 +0000 (UTC)
Received: by mail-ot1-f46.google.com with SMTP id 46e09a7af769-70949118d26so39165a34.0
        for <internals@lists.php.net>; Wed, 21 Aug 2024 11:32:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=coggenterprises-com.20230601.gappssmtp.com; s=20230601; t=1724265177; x=1724869977; darn=lists.php.net;
        h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=e2HBSFCKEpUnVKaywmaijIJiOszMAjcDTNOrukDTUSY=;
        b=wT0QGksLGN80MGNvmbpAG7QQmzUUj2n7wiaBjhW1kYZbRojZOVsY8UEF4B9tyB4kDA
         TY9lzyI74cMb4SPe4sParC0gwgWurpFf4SzrzVJAlTO20lvuO3aG5Ic3sxqvcGQrX7pL
         0SJYiiEsSKEbiR/KBBlUd8PR9A1Et7nkYp5CKt0IF5mPc9oDQOVOzgJyqWen3GK4F1oN
         IYp8+mzX2IFkMEPDcqHzqnqyRVCBMZpQ3Aj6B4cBQvQeGCkhz1a9LXc3GKKL+/7h7gW1
         GsUFYSVlLbmhmp+Jv9cSIZVurqtQo6BLKI4Bs66cSDeMd3hbcVNAwcM4o7EnwePLUtMF
         uGsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724265177; x=1724869977;
        h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=e2HBSFCKEpUnVKaywmaijIJiOszMAjcDTNOrukDTUSY=;
        b=uK0jAYuuVBX/1X0Oges5WOSM5va5plPWWOI6PTv3a0zIqTx7xOcT+n3UEspiNe0lOk
         uuJvhPPLUMQJ+cBXImAaYHl3416s9OaDq4aYO2ZqZseKserM2QoLLXckQrbXw+41j9fO
         eImtqWTv2C6M/dQ8cseejdmU81tcPKcfEh4pdWY50bpBCdYCnzsQhxvA4yf7voJnUhLL
         zazxAnl1CScuFluJeQHPtfZJIu/qJxozrv2saeM750Rn31lsQUXE4UqPfP2srLPiFtbL
         ow1CarUyQPc7yi6TtHijeTbfPJljzhMcLBqW8+F6/76YuzNprUNdBGcyPPukx5GS61RZ
         ljSw==
X-Gm-Message-State: AOJu0Yyeyh1PUw6JMWcl2vy6/t0WRIlcst0IXAA8PUrwgUWKpdbRJMLT
	32rU3dEreHqGc+3/mVyMIjNnUpX6yoRptnJgaliwDPM9jtldFvQVkHHYldJHGrWPQZjuqYZ66mr
	D
X-Google-Smtp-Source: AGHT+IHT5yqxe1CJ+7GAw1V36SmJ9OP2TTqe9tiS6qVtuv5AlXEpGqsxcMZ/sDFFEiEKile8/BT7ow==
X-Received: by 2002:a05:6830:6a92:b0:704:46da:5fa0 with SMTP id 46e09a7af769-70df8709a33mr3735106a34.10.1724265176686;
        Wed, 21 Aug 2024 11:32:56 -0700 (PDT)
Received: from Johns-MacBook-Pro-2.local ([207.213.210.67])
        by smtp.gmail.com with ESMTPSA id 00721157ae682-6af9cd7ab10sm22982097b3.97.2024.08.21.11.32.55
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 21 Aug 2024 11:32:56 -0700 (PDT)
Date: Wed, 21 Aug 2024 14:32:55 -0400
To: Ilija Tovilo <tovilo.ilija@gmail.com>
Cc: "=?utf-8?Q?internals=40lists.php.net?=" <internals@lists.php.net>
Message-ID: <D397BAC6-7E88-4B0C-A06D-84CAFB5454C9@getmailspring.com>
In-Reply-To: <CAPyj-LB+7AjEXuG4YYX6HhuzxhS-chM7bz8Nwa5cM5TA1HYaRA@mail.gmail.com>
References: <CAPyj-LB+7AjEXuG4YYX6HhuzxhS-chM7bz8Nwa5cM5TA1HYaRA@mail.gmail.com>
Subject: Re: [PHP-DEV] [Concept] Flip relative function lookup order
 (global, then local)
X-Mailer: Mailspring
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="66c632d7_238e1f29_f01f"
From: john@coggeshall.org (John Coggeshall)

--66c632d7_238e1f29_f01f
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline



On Aug 21 2024, at 2:10 pm, Ilija Tovilo <tovilo.ilija@gmail.com> wrote:
>
> Including a malicious composer package already allows for arbitrary
> code execution, do you really need more than that?
>

Of course. We've seen many examples in the wild of 3rd party libraries getting hijacked to inject malicious code (e.g. the whole xz attack). This behavior in PHP is not obvious, and provides a way to covertly target and hijack specific highly sensitive functions without an obvious way to detect it -- while otherwise behaving exactly as a developer would expect.
Why possibly would we want to make it easier to perform such an attack, which as Illija pointed out is actually making PHP slower, in the name of backward compatibility? Defense in depth is a cornerstone of application security.
John
--66c632d7_238e1f29_f01f
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<br><br><div class=3D=22gmail=5Fquote=5Fattribution=22>On Aug 21 2024, at=
 2:10 pm, Ilija Tovilo &lt;tovilo.ilija=40gmail.com&gt; wrote:</div><bloc=
kquote><div><br><div>Including a malicious composer package already allow=
s for arbitrary</div><div>code execution, do you really need more than th=
at=3F</div></div></blockquote><div><br><div>Of course. We've seen many ex=
amples in the wild of 3rd party libraries getting hijacked to inject mali=
cious code (e.g. the whole <code>xz</code>&nbsp; attack). This behavior i=
n PHP is not obvious, and provides a way to covertly target and hijack sp=
ecific highly sensitive functions without an obvious way to detect it -- =
while otherwise behaving exactly as a developer would expect.</div><br><d=
iv>Why possibly would we want to make it easier to perform such an attack=
, which as Illija pointed out is actually making PHP slower, in the name =
of backward compatibility=3F Defense in depth is a cornerstone of applica=
tion security.</div><br><div>John</div></div>
--66c632d7_238e1f29_f01f--