Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:128200
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 72B8E1A00BC
	for <internals@lists.php.net>; Wed, 23 Jul 2025 19:01:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1753297186; bh=yOmvgr+zyUw410bHrI5KFOaahl9ufVQy7fa9xUSUaXI=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=kJOXHoPe+ndJ0h+8KJrk/LgFLPK+eaLnD7iDjo9WxfqOP9Pp9+kJXv664wBnsDigz
	 ZRie29VMpsjuPPxYuzIRPRlzsiwHksJ6IADLKf6iUIuHhVIBLCOZAGD6PDMGRk1z5C
	 AFfPX0TvCqrg+UfL8eww58QSTZV4PY6G9k+ebpQdaA3KG2whVnK8sskKQj886Up590
	 Xx7217dLFdpjsuIkhivVICtONZJrlJL5ofmCyEgkk4AYxQ4HaCELq3Ku1j7JCZYQ8u
	 sfkAaLKODF06Oi1+YRysDcD6j9wT6nAIqlmULGuR/TM9ToJ+17LGsoObo1BcmJ5yBc
	 i49vrC7s2wFTA==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 12781180061
	for <internals@lists.php.net>; Wed, 23 Jul 2025 18:59:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_40,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,
	FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: Error (Cannot connect to unix socket
	'/var/run/clamav/clamd.ctl': connect: Connection refused)
X-Envelope-From: <tekiela246@gmail.com>
Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 23 Jul 2025 18:59:44 +0000 (UTC)
Received: by mail-lj1-f180.google.com with SMTP id 38308e7fff4ca-32b43cce9efso1154461fa.3
        for <internals@lists.php.net>; Wed, 23 Jul 2025 12:01:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1753297288; x=1753902088; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=yOmvgr+zyUw410bHrI5KFOaahl9ufVQy7fa9xUSUaXI=;
        b=EXClMjpmeoh0Rcf9EzmSlcH5x1JUXPeUnS27P7xSKwmP7rYxrqpKZNWpcDyQMNxciS
         xtJWd/06P0Lx4YBsLSgfK01qmKgdQBcSDneYv3LHVRVMffx5ORkEO8JEwLheWbEJWoL3
         k1hAAe8eizX2ZuMi6eTkmaCy4nE9Bre5FIMUhMsGyBVCTidb8zC8cUSQoEf5MQUDP85+
         vKq8ql1IN1TSaFh9xb+79J0j1BLHwjnNwjE0bMZj8MLTuJMXZkekJPJ2CfpTljtyiAEs
         IqiYTqfbwNkeDQZvJ7XUO5BAP1nJ4jNq7bLopivPuO9bFynJCSyjsuINocHKZcYUFBoP
         /awQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1753297288; x=1753902088;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=yOmvgr+zyUw410bHrI5KFOaahl9ufVQy7fa9xUSUaXI=;
        b=DAAsV3pyFg3oefYcJL28SIERDuGh/sDvw0p6ultYqk+6P7dvIrW7rbiTZUAvxumKi3
         Qg1iCMaH3O5PwAEZP9ncuPgXuNcK7BK0jK0rvmDp+rjuLcrFD4ZQuqvdzEVAC5stQq6e
         oEzhijlPkSL2n8e9DaTCuCAiVxHt38F27UnyY5AC956CX523DO16sGbkZ501ynBmhcB1
         ooz5175fOnW+9RFy8ooiNCOvZSn0HkEjnSIwNq+WYR5bTLDq5ZRQJNp7/CU8wVMkdP97
         uHhAdZX8dknKB++K2Q2qtKyLgo7mafY1mDDP+nhZ27lZ+w1lUgo/6FiKTvkqGvM838Dg
         oBcg==
X-Gm-Message-State: AOJu0YwDGyXdqMGEEh+48YKQ3rsebXrBEikMjuRQ1aba/0nQJEHokZ5i
	YhxKDtjLoLxAalej/7KpmUX+m99TeI/a5y2+R13npqO75agFCbSBG+NKZtzOWbPd5JupLL+AXLn
	BTrwIAfveQ/Q793ndxHruXiKasm92JDQ=
X-Gm-Gg: ASbGncsq4F1WCQBZjEk8OatPjJadTk55j2oDW/1l45wzOkYdb0PRX16p7jDoTZabBST
	Gqi3CF9nZ/EneBkDDgIul8+2pZeAdK52Xdg4/5kpqebobwFHtazLg1qgX//rd07t5oe8CyMoo91
	R1uSe+9sUMT3G/mtqWZJsZFZlSMnZvh2TaI5rUUI4AUIBleKDgB6lGZQgzfO8qbzOgM2qQBDwBZ
	e0iNIVGKQLWAWH7Ri7i0T0qIsnjFGEhvNVQFx1GW132eIV+DbE=
X-Google-Smtp-Source: AGHT+IHT3BOriVFPRv2k5IYigbtR/LunTQN2+S0R+iw72ve61HsMptzUz9ub3KWUuAQX3Dj6oCNEVixOUKxcOlFVwXs=
X-Received: by 2002:a05:651c:50f:b0:32b:9792:1887 with SMTP id
 38308e7fff4ca-330dfc273ccmr9988381fa.11.1753297287481; Wed, 23 Jul 2025
 12:01:27 -0700 (PDT)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
References: <b868eb26-8598-48ac-a75a-870bc22db93a@tu-braunschweig.de>
In-Reply-To: <b868eb26-8598-48ac-a75a-870bc22db93a@tu-braunschweig.de>
Date: Wed, 23 Jul 2025 21:01:14 +0200
X-Gm-Features: Ac12FXwwluqxSosXkSs0T-f-iEHgEaPa6J6Ruqeroz8uMZyveuJytPT9-Ea6OFE
Message-ID: <CAGBsUrdGw35y7i58=-kZxk3c42Fa1v8DWZLc2BCz9yaYhOWQqA@mail.gmail.com>
Subject: Re: [PHP-DEV] Study on unsafe extract() usage
To: Jannik Hartung <jannik.hartung@tu-braunschweig.de>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000018e27063a9d56ea"
From: tekiela246@gmail.com (Kamil Tekiela)

--000000000000018e27063a9d56ea
Content-Type: text/plain; charset="UTF-8"

>
> This would prevent most of the

vulnerabilities found in the dataset and we cannot think of a valid use

case for allowing this behavior


But not all. This function is dangerous on its own. Attack vectors are 99%
through superglobals but could come from other sources too. However, this
function is handy when used correctly.

I agree with everything stated in the email. Using extract() on
superglobals is definitely an incorrect usage and should be forbidden. If
it's something that we can do then we should do it as soon as possible even
if it means breaking some poorly written code.

Empty prefix should be a bug and as such I recommend adding an error for
this in PHP 8.5 without deprecation or RFC.

One more thing that would improve security is to change the default flag to
EXTR_SKIP. It would be a major BC though so we could probably only do it in
PHP 9.

--000000000000018e27063a9d56ea
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div><div class=3D"gmail_quote gmail_quote_container"><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex">This would prevent most of the
</blockquote><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;b=
order-left:1px #ccc solid;padding-left:1ex">vulnerabilities found in the da=
taset and we cannot think of a valid use</blockquote><blockquote class=3D"g=
mail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-l=
eft:1ex">case for allowing this behavior</blockquote></div></div><div dir=
=3D"auto"><br></div><div dir=3D"auto">But not all. This function is dangero=
us on its own. Attack vectors are 99% through superglobals but could come f=
rom other sources too. However, this function is handy when used correctly.=
=C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"auto">I agree with ever=
ything stated in the email. Using extract() on superglobals is definitely a=
n incorrect usage and should be forbidden. If it&#39;s something that we ca=
n do then we should do it as soon as possible even if it means breaking som=
e poorly written code.=C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"a=
uto">Empty prefix should be a bug and as such I recommend adding an error f=
or this in PHP 8.5 without deprecation or RFC.=C2=A0</div><div dir=3D"auto"=
><br></div><div dir=3D"auto">One more thing that would improve security is =
to change the default flag to EXTR_SKIP. It would be a major BC though so w=
e could probably only do it in PHP 9.=C2=A0</div><div dir=3D"auto"></div></=
div>

--000000000000018e27063a9d56ea--