Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:125097
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id F191D1A00BD
	for <internals@lists.php.net>; Thu, 22 Aug 2024 17:56:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1724349505; bh=hKUuIkBQUlpvzZzDWSSuQ0/B9XfKUuAVNnDVsyG1UiE=;
	h=Date:From:To:Cc:In-Reply-To:References:Subject:From;
	b=Xg6RmV6yrTZMuxEfZeDcXcBkozDLjalinuV4YoqA1uF2M2Z3h7vcX8H7IessuFZRp
	 SCytKRIP7lSHkHbAyC9MfyYc2AcnnhkiWQieRpz4jfxTXXi8Fq6z27GQDzcWyzP7Jp
	 QWMkPc9DQnrpFm3lB852NZeXfpHu3rJHBdFbw/3jEIaEf8e+zRkQs1wgUJDRqxJ3ha
	 VXedVBVrwQeFdYxZNPEl0sPqCZK4tj6bg6QlfuDrGzgZCygfvhchuSjb0zyLb78cvt
	 2c9KLofIrBYulnsWqUl0WwU2qSaaTH1WsObjnCFjU9YD7nP13zVsNYDtwK9p5VbG8p
	 /R/Zb6DSezB0w==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5D2BE180042
	for <internals@lists.php.net>; Thu, 22 Aug 2024 17:58:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: ****
X-Spam-Status: No, score=4.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DMARC_MISSING,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,RCVD_IN_SBL_CSS,SPF_HELO_NONE,
	SPF_NONE autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <john@coggenterprises.com>
Received: from mail-oa1-f44.google.com (mail-oa1-f44.google.com [209.85.160.44])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 22 Aug 2024 17:58:23 +0000 (UTC)
Received: by mail-oa1-f44.google.com with SMTP id 586e51a60fabf-27022a3536dso745014fac.2
        for <internals@lists.php.net>; Thu, 22 Aug 2024 10:56:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=coggenterprises-com.20230601.gappssmtp.com; s=20230601; t=1724349392; x=1724954192; darn=lists.php.net;
        h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=hKUuIkBQUlpvzZzDWSSuQ0/B9XfKUuAVNnDVsyG1UiE=;
        b=PChdDQT6EG4BWjy8q1M+ItILi/yvtqhiYjQbqSA0J4aYrjcsiYaH5WkurRonNOMZjk
         m++nJevXR+GIcnQ+w8RiQVwdaGm3UF2E1GeafNkvgExuz4Pj0C2fvztQpkqELuLLDzH2
         7r7F33PdnKeaYzIMuBU8W3Bub7CtglgPH07wojDsH87wLu/Lsjiq2B6avLx+mbTp31FF
         sftfynwWetpYYcLV3J+dwlAE7hefjwoedIam/ZiqpoO2dSIOAt8fhxgm8xgGHShBnChi
         br/pXMDcPyBSGIPspDvo7uK7c8xoyM+axQMOFA8RqgBw94jnglpvnKJwOdFftyMVmoCG
         Oihg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724349392; x=1724954192;
        h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=hKUuIkBQUlpvzZzDWSSuQ0/B9XfKUuAVNnDVsyG1UiE=;
        b=IF+i3rwzz6XQESN63c9BTaWYKCxmZZzIlzDFHt/kYjDFQMuO1stco+VRtcVVSfB8Qw
         5aLrXw8m/+IRqx7andsCK6VN6bX+JajLrz8jPQmiB4HOj3dy2fFP8pvo0cbpwy47tHuE
         qWltqVYOVeuE0Q50ao/Xbq6r8MEbVFGY1cIoJhYuwsiA8CNoZ8H39JDRWKTPuSjsnwWb
         jo5nXzYprRMZK4BN0i/coCQlbmT5YMvLOw5lAeVCCExvZc8rFs7m4dc2MeNFG43mfhud
         XHjoApLLTU5cgBwaw6WuZLhECNs5stnuVA4npLdzWyGskY18NSm6wed/BzUhdHGDWcTM
         EAtQ==
X-Forwarded-Encrypted: i=1; AJvYcCVCPxe56mAaRhUnORPDZqRRlSmBO/63lVvMqiMc4AaM25OUB3zzmS4y+l5EIBfysa1DocfpfbrI1Jw=@lists.php.net
X-Gm-Message-State: AOJu0YynZt6wR/MWU9hccHP7Zin0wCPwQb/n+kZK+dDRIZAr0eGeI4Gq
	fAyHJabCFbEZYBV+0QkPAGzGevw1T98Y27PgIf2ZNR7ZlEWX1Efb3L14uaknaew=
X-Google-Smtp-Source: AGHT+IHVrK57dHIwf/z7HfuppKLyfm2c3LJ1USTtZpecHdgpSTJCLERxQ6fbdpbFhLLvSDHhXF7U9w==
X-Received: by 2002:a05:6870:328a:b0:270:1745:990a with SMTP id 586e51a60fabf-2738be245b1mr7918842fac.40.1724349392422;
        Thu, 22 Aug 2024 10:56:32 -0700 (PDT)
Received: from Johns-MacBook-Pro-2.local ([207.213.210.67])
        by smtp.gmail.com with ESMTPSA id 586e51a60fabf-273ce73b661sm475066fac.0.2024.08.22.10.56.31
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 22 Aug 2024 10:56:31 -0700 (PDT)
Date: Thu, 22 Aug 2024 13:56:30 -0400
To: Rob Landers <rob@bottled.codes>
Cc: Ilija Tovilo <tovilo.ilija@gmail.com>, 
 "=?utf-8?Q?internals=40lists.php.net?=" <internals@lists.php.net>
Message-ID: <5B453EA2-E5E3-4CA2-AEF8-B97DAC8D12D2@getmailspring.com>
In-Reply-To: <2f6fe011-0b07-47ed-8b24-f7eb216317b2@app.fastmail.com>
References: <2f6fe011-0b07-47ed-8b24-f7eb216317b2@app.fastmail.com>
Subject: Re: [PHP-DEV] [Concept] Flip relative function lookup order
 (global, then local)
X-Mailer: Mailspring
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="66c77bce_6b8b4567_164e6"
From: john@coggeshall.org (John Coggeshall)

--66c77bce_6b8b4567_164e6
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline



On Aug 22 2024, at 4:09 am, Rob Landers <rob@bottled.codes> wrote:
>
> If you have the ability to inject arbitrary code, you've already lost. It doesn't matter whether they use this feature, or just register a shutdown function, autoloader, replace classes/functions/methods entirely, or whatever. Should we remove those features as well?
I think it's a fallacy to claim "well if they got this far the game is over" when it comes to application security. There are a million ways an attacker could use this feature to covertly gain access to things like passwords before they are encrypted, etc. that would enable lateral movement within an organization that otherwise they might have difficulty achieving even with RCE in a properly locked down system (e.g. PHP doesn't have the ability to write to the filesystem / overwrite existing classes, etc.)
Regarding the subject at hand I've made my case here and we can agree to disagree -- changing the function lookup order is an easy win with security benefits and, according to Ilija, performance benefits. I think it should be seriously considered.
John
--66c77bce_6b8b4567_164e6
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<br><br><div class=3D=22gmail=5Fquote=5Fattribution=22>On Aug 22 2024, at=
 4:09 am, Rob Landers &lt;rob=40bottled.codes&gt; wrote:</div><blockquote=
><br><div>If you have the ability to inject arbitrary code, you've alread=
y lost. It doesn't matter whether they use this feature, or just register=
 a shutdown function, autoloader, replace classes/functions/methods entir=
ely, or whatever. Should we remove those features as well=3F</div></block=
quote><br><div>I think it's a fallacy to claim =22well if they got this f=
ar the game is over=22 when it comes to application security. There are a=
 million ways an attacker could use this feature to covertly gain access =
to things like passwords <em>before</em>&nbsp; they are encrypted, etc. t=
hat would enable lateral movement within an organization that otherwise t=
hey might have difficulty achieving even with RCE in a properly locked do=
wn system (e.g. PHP doesn't have the ability to write to the filesystem /=
 overwrite existing classes, etc.) </div><br><div>Regarding the subject a=
t hand I've made my case here and we can agree to disagree -- changing th=
e function lookup order is an easy win with security benefits and, accord=
ing to Ilija, performance benefits. I think it should be seriously consid=
ered.</div><br><div>John</div>
--66c77bce_6b8b4567_164e6--