Hi John On Wed, Aug 21, 2024 at 8:02 PM John Coggeshall <j...@coggeshall.org> wrote: > > This is an attack vector for every application and I would argue should be a > real concern for the vast majority of applications out there -- any which > rely on namespace-based frameworks and composer packages from untrustworthy > sources. It's not just Wordpress -- literally every single PHP application > that uses a publicly available framework and consumes external composer > packages should be FQing their internal function calls. The natural behavior > of the language shouldn't be the insecure way of doing things for the sake of > maintaining BC compatibility with existing, insecure, code.
Including a malicious composer package already allows for arbitrary code execution, do you really need more than that? Ilija
