Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:125096
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 30B741A00BD
	for <internals@lists.php.net>; Thu, 22 Aug 2024 08:10:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1724314326; bh=F2fhH3d6jiql8XxdePHfIJ3pZpdXbnOpxnulZ+N1eeM=;
	h=Date:From:To:Cc:In-Reply-To:References:Subject:From;
	b=fEbacXi54e5b90/2E4GTXGDkDRvZ1/wZ6k9gunv8XmL5FD4eO2Pb+eUB0KkGrIWfx
	 FNk4qXx1ughQEGEM37BCbmiLSqi+bkQuhY+BJp/VEpo3/JpoUFyngUjYxUhs0GElaE
	 xmKG6X/Hbf3h2Iz0X+hd3DSZWBZUwVKNgQ54VWvgpWziaKxEiiKC2YOKNZzCJ6saE/
	 4tIcdRXsMVCY5uidD3qIb0TNx7BJnciMd4v/U6/U/6hjS+djJM6EdP7ptLFXRu/mYH
	 pIxuOMdsenKtDbus+ReAHVU6X9CekodFlMfr/a8ux3RRXbENGksh8LRBBmCp+qv2oC
	 KkKkRjCMAcBiw==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 2C07F180052
	for <internals@lists.php.net>; Thu, 22 Aug 2024 08:12:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE,
	RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <rob@bottled.codes>
Received: from fout7-smtp.messagingengine.com (fout7-smtp.messagingengine.com [103.168.172.150])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 22 Aug 2024 08:12:04 +0000 (UTC)
Received: from phl-compute-03.internal (phl-compute-03.nyi.internal [10.202.2.43])
	by mailfout.nyi.internal (Postfix) with ESMTP id 79F23138FF93;
	Thu, 22 Aug 2024 04:10:13 -0400 (EDT)
Received: from phl-imap-09 ([10.202.2.99])
  by phl-compute-03.internal (MEProxy); Thu, 22 Aug 2024 04:10:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes;
	 h=cc:cc:content-type:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm2; t=1724314213; x=
	1724400613; bh=dbQBdzO2SS96oUQ5WqiABQ1m5wI0TFlBaW8rufHq/6s=; b=k
	7B441zU3M1dJi4XNF4AAxxmQzqVRuUnK/WlYnEDxHZwpViJq27p2zEE2Ts/XIsUh
	kPagcCzeIUt3Zd9Rv5CFh5ZYuiMlkYvxbuGNcBfFt/Zn2EOadAGnFNtxUrCJAefK
	9wZBLkjX2B1hm3kqL79F7Vf7fZ9svbIqyA4OmgITPOeUGjSzP02EJdoprhZPaVNX
	IooDM2iAmxJiqHq7hSTutDA8hjwt7aY2png55EA9KbKR+g9yz5CsBqWJ+Oaw0VYd
	rjzSFIOSzJRjgzelH515mDumyNK6Xv+JG5OV7m/WBboFTtNp29cnKp2J+Wm3gzwI
	sLlihohbmlPFlyR9LnkAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm1; t=1724314213; x=1724400613; bh=dbQBdzO2SS96oUQ5WqiABQ1m5wI0
	TFlBaW8rufHq/6s=; b=XIqmrmp6/1lGOGKK1cykZ+cVEdLvjG2P1DCJoIFdEcNq
	MGBD8P8xANeR6KDW28v75NwoCt0mO8/BNnaELZGPanHTZU2GJScMdhKAl7a7UvBn
	8RJmJ0llaTZXsMqOlosEk5+ys5900mUxurnWwzu+XM2JV2oIixQSZJMDVcI7Ot2C
	kFsXbolDoh+QHnleYknKUD/V4BrjPLVNgIvdu2g0h8XY5QaeNpnBBgm4n6d1Ibw6
	kS1d6miYTn5cmV68UoPvQ8dT2omNgNy6SIEoLxmNi5NYWYiXRXlGAHifTW3wIeRP
	TFplEMpM820n/TdlR+dU0m+RN4kpVhx3KIUm+cCneQ==
X-ME-Sender: <xms:ZfLGZgdMS63exv5JZeH0vSv-ENeE09QXdcr0z9xkxfdToI1n2rmZhw>
    <xme:ZfLGZiPFx9_6oEp2FQi8lzcmhWhCj_sKtkrQfmJPTwq7mNzHozSorKi2Rjrf8UwCT
    U-oMemAJ8hpIlgoo20>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrudduledguddvlecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivg
    hnthhsucdlqddutddtmdenucfjughrpefoggffhffvvefkjghfufgtsegrtderreertdej
    necuhfhrohhmpedftfhosgcunfgrnhguvghrshdfuceorhhosgessghothhtlhgvugdrtg
    houggvsheqnecuggftrfgrthhtvghrnhepieeuteehvddvfeejhffgieehleehhedthfef
    keejffelgfevvdekudetjeejtddtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg
    hmpehmrghilhhfrhhomheprhhosgessghothhtlhgvugdrtghouggvshdpnhgspghrtghp
    thhtohepfedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepjhhohhhnsegtohhggh
    gvshhhrghllhdrohhrghdprhgtphhtthhopehtohhvihhlohdrihhlihhjrgesghhmrghi
    lhdrtghomhdprhgtphhtthhopehinhhtvghrnhgrlhhssehlihhsthhsrdhphhhprdhnvg
    ht
X-ME-Proxy: <xmx:ZfLGZhi60NBZLoj9qnH0D8gltOGPeqPZETUR5rFw2qF-xbcZUaSKXQ>
    <xmx:ZfLGZl84FBM0QOZi3utojbXHt4_WddoxTaaky2_SP7iDs0jFY4p3Yw>
    <xmx:ZfLGZsseGeD96ki22EpnnzAm-3mCCWExsvUYjFqNznfsIMXmCG99Mw>
    <xmx:ZfLGZsEaZ-oZOpyOjG7yIvcOvD5R_yVgZ_siXzZnpcMGnlcNpmuxEA>
    <xmx:ZfLGZl4af8Jxlc_EDZYqrnTPz-iz0CZwjzXkXi3HzfqrZHf-UYHiCWts>
Feedback-ID: ifab94697:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 338EB780062; Thu, 22 Aug 2024 04:10:13 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Date: Thu, 22 Aug 2024 10:09:52 +0200
To: "John Coggeshall" <john@coggeshall.org>,
 "Ilija Tovilo" <tovilo.ilija@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <2f6fe011-0b07-47ed-8b24-f7eb216317b2@app.fastmail.com>
In-Reply-To: <D397BAC6-7E88-4B0C-A06D-84CAFB5454C9@getmailspring.com>
References: 
 <CAPyj-LB+7AjEXuG4YYX6HhuzxhS-chM7bz8Nwa5cM5TA1HYaRA@mail.gmail.com>
 <D397BAC6-7E88-4B0C-A06D-84CAFB5454C9@getmailspring.com>
Subject: Re: [PHP-DEV] [Concept] Flip relative function lookup order (global, then
 local)
Content-Type: multipart/alternative;
 boundary=997bd7927d1d495598fa6efc08985e2f
From: rob@bottled.codes ("Rob Landers")

--997bd7927d1d495598fa6efc08985e2f
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 21, 2024, at 20:32, John Coggeshall wrote:
>=20
>=20
> On Aug 21 2024, at 2:10 pm, Ilija Tovilo <tovilo.ilija@gmail.com> wrot=
e:
>>=20
>> Including a malicious composer package already allows for arbitrary
>> code execution, do you really need more than that?
>=20
> Of course. We've seen many examples in the wild of 3rd party libraries=
 getting hijacked to inject malicious code (e.g. the whole `xz`  attack)=
. This behavior in PHP is not obvious, and provides a way to covertly ta=
rget and hijack specific highly sensitive functions without an obvious w=
ay to detect it -- while otherwise behaving exactly as a developer would=
 expect.
>=20
> Why possibly would we want to make it easier to perform such an attack=
, which as Illija pointed out is actually making PHP slower, in the name=
 of backward compatibility? Defense in depth is a cornerstone of applica=
tion security.
>=20
> John

If you have the ability to inject arbitrary code, you've already lost. I=
t doesn't matter whether they use this feature, or just register a shutd=
own function, autoloader, replace classes/functions/methods entirely, or=
 whatever. Should we remove those features as well?

=E2=80=94 Rob
--997bd7927d1d495598fa6efc08985e2f
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html><head><title></title><style type=3D"text/css">p.Mso=
Normal,p.MsoNoSpacing{margin:0}</style></head><body><div>On Wed, Aug 21,=
 2024, at 20:32, John Coggeshall wrote:<br></div><blockquote type=3D"cit=
e" id=3D"qt" style=3D""><div><br></div><div><br></div><div class=3D"qt-g=
mail_quote_attribution">On Aug 21 2024, at 2:10 pm, Ilija Tovilo &lt;tov=
ilo.ilija@gmail.com&gt; wrote:<br></div><blockquote><div><div><br></div>=
<div>Including a malicious composer package already allows for arbitrary=
<br></div><div>code execution, do you really need more than that?<br></d=
iv></div></blockquote><div><div><br></div><div>Of course. We've seen man=
y examples in the wild of 3rd party libraries getting hijacked to inject=
 malicious code (e.g. the whole <code>xz</code>&nbsp; attack). This beha=
vior in PHP is not obvious, and provides a way to covertly target and hi=
jack specific highly sensitive functions without an obvious way to detec=
t it -- while otherwise behaving exactly as a developer would expect.<br=
></div><div><br></div><div>Why possibly would we want to make it easier =
to perform such an attack, which as Illija pointed out is actually makin=
g PHP slower, in the name of backward compatibility? Defense in depth is=
 a cornerstone of application security.<br></div><div><br></div><div>Joh=
n<br></div></div></blockquote><div><br></div><div>If you have the abilit=
y to inject arbitrary code, you've already lost. It doesn't matter wheth=
er they use this feature, or just register a shutdown function, autoload=
er, replace classes/functions/methods entirely, or whatever. Should we r=
emove those features as well?</div><div><br></div><div id=3D"sig12122915=
2">=E2=80=94 Rob<br></div></body></html>
--997bd7927d1d495598fa6efc08985e2f--