Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:128201 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id A11621A00BC for ; Wed, 23 Jul 2025 19:24:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1753298562; bh=oMuvc0JcTCzYRO/RIWUx26QS1dY4x54dJg9Tb5B0v9M=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=F5rG6Wt1EH3rXEMt5Sn3eUbAvmu7CtnUG8SiYxSz0sxXwQ2wd8EtCbPbKHIf7LTRl YKX4mSp87Zdi0D4GybL+Fl71xhdkqLa9aNSLoh4qbv3QCd3ScwPOJvEZIF9+SZf6tl ttgqo6ZZm2QaVQ7yhIJxYCQjpL8D4OwNyKKukeR+QEvFKV2HD1tXm9CyNh63TP5x9D xT6ooNm8+BdXsjlT2YsUekyTnDwFryst/5mZLR6i2WlwdOLjGv21YwHoraGAPBUaZf ecZMycvVrumT5Ptx4Ba9H9jWvp52FTrJWdJBknkyQcEe26cPnhOpCxyegzw7/SwLQO EfsSO+VhqlqjA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id B2B9F180548 for ; Wed, 23 Jul 2025 19:22:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02olkn2089.outbound.protection.outlook.com [40.92.49.89]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (secp384r1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 23 Jul 2025 19:22:41 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HiriD+0ycfxSBYOvQ4c18YMliiVgLpP9FZiclLQAzx1pI+8d+WaX8MdvnhbhmtBW1dG399L4fTbNFoc20FbrbEJdYQgrMlZPaO1zoosrMSxYqKRnFdek4zTs7KftkifoMBrE3yt7nYSWSf29L73PdbQA/rwGIuYLAX+NO5HULTT2S7ulXCzYs3dtd+3LO3XBqUICN3a6nGAg0btdIcfRLSg63Uty1KqFcIkGfULnEpwMn6WxZa4GHSaYh9jphz3rWz2b1Sav9Dlgfpvtz4jijb/xYfxac9rwkSNi9B61NtmIMBqrCBh7hCCpTZV1V+paRV6N45XTiJmiOtib86FeQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aLzALkZMJgyqNP8gwPaAbulDqTZarRA57Q4y9BkWb3Y=; b=VD7+ak0TZwUBi28R/LcHCuI1jxG2/61j9FukUGPifwKR1qMr0zutIbT1o1M9n14WT/ii5vHtgDO2LukuBbUSyMYOoFdxqJHqp/+GZscg9dzjap5GSoSz5H8SkhGjzqz2CDy5nCOk1tFZIrr4VCfpD8c0ktcVdxcevC0RR/slEeEWlsQWVW7dnRB1G8hJLECAp6iKe4EEjaV9ZtZK2o6zlzK5XofMcS6XAqRpBhtIQpGKfemG89ogeCVMiwCG1bGFxWTfcdUwKZZ4QgBjeondHceW99Jz1lMrmJmB88jE7yreAxF2KUovhEFcECdJeHgx1pAeNpLyAcm8Hm0fAT4Ogw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aLzALkZMJgyqNP8gwPaAbulDqTZarRA57Q4y9BkWb3Y=; b=pbHHLDJH1tHExfaZAiCtLv5OEXQO8kIz0tL+00Yqtsg7TDiusXbqqE+UdyTpdgSPbUknnToPTJxDLZQHrzIsLoDvSAUtjBewCJnr7H8Rb7DJAdzTV9u7bHyqAsEdCC+B7KL6QkJ4WRfLMcdk1q6Lk3/SJqIBflYBnK5WAnWmHOHk6U5IV52vBfOkdswKQofLpje0lgsezWWl3Sf2kgxi+A+tQxI13LIGptgDTMNubibGZZWeUyVEfcwYkybX8CMaTFrlL3C6WLg8BlZjhV8uGTjmfA/wnaPHcZz8sY487gTa0fm/rVH7DclXCsQ2F48vot5uHxURawZC0JrzrlzdHQ== Received: from AM8P250MB0170.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:321::21) by AM8P250MB0123.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:36e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8964.21; Wed, 23 Jul 2025 19:24:23 +0000 Received: from AM8P250MB0170.EURP250.PROD.OUTLOOK.COM ([fe80::651e:bbd2:b18a:80ff]) by AM8P250MB0170.EURP250.PROD.OUTLOOK.COM ([fe80::651e:bbd2:b18a:80ff%6]) with mapi id 15.20.8964.019; Wed, 23 Jul 2025 19:24:23 +0000 Content-Type: multipart/alternative; boundary="------------7vuVxHobM6hCRnehtnqkvzFs" Message-ID: Date: Wed, 23 Jul 2025 21:24:22 +0200 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] Study on unsafe extract() usage To: Kamil Tekiela , Jannik Hartung Cc: PHP internals References: Content-Language: en-US In-Reply-To: X-ClientProxiedBy: PA7P264CA0131.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:36e::20) To AM8P250MB0170.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:321::21) X-Microsoft-Original-Message-ID: Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM8P250MB0170:EE_|AM8P250MB0123:EE_ X-MS-Office365-Filtering-Correlation-Id: 870a719e-2762-4a73-4548-08ddca1e8794 X-Microsoft-Antispam: BCL:0;ARA:14566002|8060799015|19110799012|5072599009|461199028|15080799012|440099028|52005399003|40105399003|3412199025|26104999006; X-Microsoft-Antispam-Message-Info: =?utf-8?B?Zm80dGlpOXJlY3BkM0pvM2NwN0dQR200UmxzejZPWVh3V2ZpdVVDNTl0Wmpx?= =?utf-8?B?UXJVK0JWejhEdW1acmtSYy80ZTdiRlJCMzJCSUhmN0tJZWhEZjlBV1g1ZHZK?= =?utf-8?B?RGRlekhxa3ZRVldzN3YxTGtFbkp1YWx3UC85emQ1NStIYlgxalNlZEhENUM3?= =?utf-8?B?OTlkMndSYlhFai9hTnlFaldEQkkzb1RyZnR2Tk5LVHRYMGpnZGpnYlNFbmVi?= =?utf-8?B?a2hVZGl1R2VSRUpzZWFzbG1qZlcxcFFRMi9qNTZDVnZXUG9KU0wzcFgxUTlz?= =?utf-8?B?RitHRzlzeXFBOXgyUGt1blU0VTExampyZW1hWi80S01SRFR0UEJOVmN3a2RU?= =?utf-8?B?S2JkSFZpR0xSL2dpbTZxR3ZUUW5ETitvM0ZmbE1nekpWWlpJRzBtNFlqRnNj?= =?utf-8?B?NytOMkhqeDNOS2FjU0wrelJ3a1hiUnpSSVc2QVBtOEsraHcreGpSVnlERHh0?= =?utf-8?B?WHRZM0ErNUE4WklqOFJUSWpwbWpGeGhBRnRzTkljR1JPZ3l1OGtWeFRVRmsw?= =?utf-8?B?T3A1Q3NXemZuMk05ZTY3MzhQN3NtNmZKZTZxbzU5NmFDcWFsSkZKaFJCdmx6?= =?utf-8?B?K1RlcmdLbFl5VjEvZFVmNHpkT042dzdubzV0YW1pQ0VuS3MzSzFHUmwyeHpr?= =?utf-8?B?YnFUd3VCUDVZS3kyR2p3UVY3TlpUUWlMRmZpb2RDb3hnMktQcnRONlg5NnZt?= =?utf-8?B?VlNXczBDbzhOMWNjYmFNNGVRK0UzM3ZBTGtjQnM5RnZZRmhnKzJUMWtERm91?= =?utf-8?B?ZXUzTTNNZitzTkc1ckh4eFREajNkWXhvZi9FWm5BRVE5YS85V3lKWEJHYWFm?= =?utf-8?B?VmhSV24yeGRVSDc1Z0JxcFo0Rnp6d2VDTHR1NVZEVHNOVmZtenRueHBjdDY4?= =?utf-8?B?Qll3WHVOMHJPQjBRTHFOeTV6MjVzVURwODZ6TDgza3lTMVFpRTd0RFRlWFkx?= =?utf-8?B?OEVraE5JSXFIdkxQQ3Mzb2VlZE5nNGYyOHZaeWpML2pKeHV4NmgzbGwvZDN6?= =?utf-8?B?eU1OU1JqTThQR2o0b0ZESmlEK1R4VUovcmxzRUUyOE1OejNVT3JpRTRCVnh0?= =?utf-8?B?dW1XQkR2ZFBRWlJ6S2RCWkFTdkM1U2x6UmwyREo1cnlNVDdwUnQxZXJPSitq?= =?utf-8?B?U1RNbjhveFZxV29JRmJObzNlRDNYZTZwTTdCNHE5alViN3ByNkN3dEpwYjJH?= =?utf-8?B?TzZHN0o5LzhCSmJORUM1cUJ2VkU4QlRKcWNHMHF5WHI4RTB5eFUyYmxvUkF4?= =?utf-8?B?ZmdFdHhGUUNzMEs2N2V0V0FnSWFIdHcvZk1CZlROSTJZeFBCZzZjcjhEZFdG?= =?utf-8?B?dnhCSW83K1g1UExubmxOMHBmbFUvdHBTRC9OWlFSR2xnZGJVWkJQMkN4OWdQ?= =?utf-8?B?bjBJYUdESHAySXdCeFdoNlBrYUNHZmtqVk8wZlVXSkY0eEJjejFCTGFzRDFR?= =?utf-8?B?ek1uR2tEd0c5ZC8vMzBHQk9VZVhSalVPMDV0NUZEanYxajNoRWNlQ2VvRDNk?= =?utf-8?B?M1VpS0Y5aVh2TkIvaml4Z0lka2FnUGtLcG55OS9Ca0p2S01USk9UMXl3MUUv?= =?utf-8?Q?Ps0r87uJX4pY9C6oZB2AyxyzpMF+j7Hdn6kruDqq8J9zNr?= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?Q1NZSGZwYjgrUlZ3YnZSVlRDN3g2Rll2UEZhUnFPdFhGSUltbzNIOUlOWC93?= =?utf-8?B?SnQ4NG1CNDEzcG1ldkdrSjJxeVJHMElXSEZwbkhYR1ZYL201OUIrSHpOUnkz?= =?utf-8?B?dUgzaTNpWlVWQ1pPeGpHemFWa3dna3pIMjZZdmQreTJOd3Zzb2ZHcGlFZlkx?= =?utf-8?B?TloydHVRRnpwbXc1c2MzQVpWbzBRVUhBRmJJamtXbE12WVNhUGpib3VsazZh?= =?utf-8?B?bUgwSjQ5YUpMQk8xRHRFODIxS1MxWTU2VWJDWk9OL0xqajlUOHU4MVZaOWpQ?= =?utf-8?B?bUQ3cTJ0V0ZPWGNjemN0MGlBR0MyMSswdXRyd2FqaDVnQzgzSXdMY1pPSGxT?= =?utf-8?B?bXd2cVExUTdVNVp2NVphRHNuYVU1MnMvTjNuaUdoQ0VvNHNmSWVmWWNvby82?= =?utf-8?B?cGZnUU1iMkFiRU9nSWd3aWVMdGV6dXdWWTNSMnZJUVRMTmJDZkFpWi9LSWg0?= =?utf-8?B?WWZrQ1l5UThsamN3Ty9Bei9qRmJxZnVZZEtpTzdETTh3SVcrbURPcmFXYUx3?= =?utf-8?B?eHo3Y0FuUjd2ODdPUVVHRDJtVEVQU2EyVFRwRmp0dklFeitUVHJON2FPZ0U0?= =?utf-8?B?OXFuaHNaM0xtK09RQk92ZkQ2ckpXUFU3M2Z1MTZSd3ArdUhrZkh0c2FkSHZu?= =?utf-8?B?VlZGZkdvajhFNngzZUJRM1pWeFEvWU4vRUhjLy9NaVRZTlpIK3V2ZXBMT0kr?= =?utf-8?B?UGxjcGE0d3ZVdWdxTCtsZDN2NU5nakJJVzVQK3ppZmRucW9JSlEzOHJYd0Fi?= =?utf-8?B?amZ1WmZiaDZKNTZBOTlqWTgwb0FGRWx0cDFtVktGZlY1U3BwY3ZGVDQyeTlk?= =?utf-8?B?TVFINmduMWVoQSs5dDE1QldpNzlJL0xLQWR4eXBjVVFhTGVHUUxsSHhLNlpr?= =?utf-8?B?dndmOEhoTk54TnVKaHovQkExcCtKQ29kR0dQRDU2d0ozR1d2YTYra0s3UmNP?= =?utf-8?B?TjFnQmkwWER2M2c5amIwUWIrTDZIRzdtOHU5YW5mQnpWeU0yOHNudmgxU2ZR?= =?utf-8?B?MkVrcGhyYm5GZzJkNTVSTkk0N2FRUEFIdVZlbE8wUDNyTHB5NDNaNTlyNGRl?= =?utf-8?B?SmdGbCt5bG83OGk1MHdTOVFxRUxGUHNaWnBwUVNlNlVQaFNyVmoyMGNHc0lV?= =?utf-8?B?am0ydXBsRURrVTRvMDExQVl4ZVhkWmJIUHBmZW96aW51UGNFcHlFZ0I4TVFT?= =?utf-8?B?M3pkbjE1SUlMZ1NvK0Y3d3JCM2VhZFluUmovenh3eEJUZ043OUNkSWcxT0Nn?= =?utf-8?B?cDkwVURTcUVPSkRqQzJqU1ZtMHFlRnE5UEd1LzhDQXpURnVhOStlMFU4NS9M?= =?utf-8?B?Q2x0V3FlNXhRVThSMWxSTWd1S1BacVY4QWtzYzA2Tm1iSEFJMHRQalBKbHJ3?= =?utf-8?B?TTlXUzNzOWtIb3RPOUtMZVB2QmtuK0ZqRVl1a05TSWl1djc3YXU2aG9ycHAr?= =?utf-8?B?WE8zaC9YMTdDWGJ4NDQwdFp3blJVcUhjMU01VjNacGFTR2h2SjJiaXpTQ1FT?= =?utf-8?B?TDVhSWV4eEdNMTN5L1k0b0szU1owZ3ZhUUtMcVltZS9mbjNNWnJnelFqMHNB?= =?utf-8?B?bTdNOFFOU3h2MzlRUFp6QWMzK09zMThseW9Ec0pzbTZTenBCOUtVREJZUE9Z?= =?utf-8?B?NGgrNVJsRGtqTy9QeCtuNkc2Yit6ZUhzOUJtWlFrNHdiRXpQWkFrSFlUU1or?= =?utf-8?B?K01IZWFrK084am56OHY4WmhueDk4OER1TG9iTGo3bHd1NGJWZ3NKdlgxOUNy?= =?utf-8?Q?GuGGwtItJjaSSaFHeM=3D?= X-OriginatorOrg: sct-15-20-8534-15-msonline-outlook-5f066.templateTenant X-MS-Exchange-CrossTenant-Network-Message-Id: 870a719e-2762-4a73-4548-08ddca1e8794 X-MS-Exchange-CrossTenant-AuthSource: AM8P250MB0170.EURP250.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Jul 2025 19:24:23.6229 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8P250MB0123 From: bobwei9@hotmail.com (Bob Weinand) --------------7vuVxHobM6hCRnehtnqkvzFs Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit  Hey Kamil, On 23.7.2025 21:01:14, Kamil Tekiela wrote: > > This would prevent most of the > > vulnerabilities found in the dataset and we cannot think of a > valid use > > case for allowing this behavior > > > But not all. This function is dangerous on its own. Attack vectors are > 99% through superglobals but could come from other sources too. > However, this function is handy when used correctly. > > I agree with everything stated in the email. Using extract() on > superglobals is definitely an incorrect usage and should be forbidden. > If it's something that we can do then we should do it as soon as > possible even if it means breaking some poorly written code. > > Empty prefix should be a bug and as such I recommend adding an error > for this in PHP 8.5 without deprecation or RFC. > > One more thing that would improve security is to change the default > flag to EXTR_SKIP. It would be a major BC though so we could probably > only do it in PHP 9. I can agree on making EXTR_SKIP the default. I do not agree that empty prefix is a bug though. That's a common operation for templating for example. Regarding extract on superglobals, I have some legacy code from PHP 3 times, which still lives on with the following lines of code: // Emulate register_globals on extract($_POST,EXTR_SKIP); extract($_GET,EXTR_SKIP); Yeah, not the most awesome. But it works. Obviously, you can work around that with foreach ($_GET as $key => $val) $$key = $val;. So, I'm not strictly against warning here, but it doesn't necessarily mean the code is incorrect. Just not necessarily to todays standards. Bob --------------7vuVxHobM6hCRnehtnqkvzFs Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

 Hey Kamil,

On 23.7.2025 21:01:14, Kamil Tekiela wrote:
This would prevent most of the
vulnerabilities found in the dataset and we cannot think of a valid use
case for allowing this behavior

But not all. This function is dangerous on its own. Attack vectors are 99% through superglobals but could come from other sources too. However, this function is handy when used correctly. 

I agree with everything stated in the email. Using extract() on superglobals is definitely an incorrect usage and should be forbidden. If it's something that we can do then we should do it as soon as possible even if it means breaking some poorly written code. 

Empty prefix should be a bug and as such I recommend adding an error for this in PHP 8.5 without deprecation or RFC. 

One more thing that would improve security is to change the default flag to EXTR_SKIP. It would be a major BC though so we could probably only do it in PHP 9. 

I can agree on making EXTR_SKIP the default.

I do not agree that empty prefix is a bug though. That's a common operation for templating for example.


Regarding extract on superglobals, I have some legacy code from PHP 3 times, which still lives on with the following lines of code:

// Emulate register_globals on
extract($_POST, EXTR_SKIP);
extract($_GET, EXTR_SKIP);


Yeah, not the most awesome. But it works. Obviously, you can work around that with foreach ($_GET as $key => $val) $$key = $val;. So, I'm not strictly against warning here, but it doesn't necessarily mean the code is incorrect. Just not necessarily to todays standards.


Bob

--------------7vuVxHobM6hCRnehtnqkvzFs--