On Aug 21 2024, at 2:10 pm, Ilija Tovilo <tovilo.il...@gmail.com> wrote: > > Including a malicious composer package already allows for arbitrary > code execution, do you really need more than that? >
Of course. We've seen many examples in the wild of 3rd party libraries getting hijacked to inject malicious code (e.g. the whole xz attack). This behavior in PHP is not obvious, and provides a way to covertly target and hijack specific highly sensitive functions without an obvious way to detect it -- while otherwise behaving exactly as a developer would expect. Why possibly would we want to make it easier to perform such an attack, which as Illija pointed out is actually making PHP slower, in the name of backward compatibility? Defense in depth is a cornerstone of application security. John
