On Wed, Aug 21, 2024, at 20:32, John Coggeshall wrote: > > > On Aug 21 2024, at 2:10 pm, Ilija Tovilo <tovilo.il...@gmail.com> wrote: >> >> Including a malicious composer package already allows for arbitrary >> code execution, do you really need more than that? > > Of course. We've seen many examples in the wild of 3rd party libraries > getting hijacked to inject malicious code (e.g. the whole `xz` attack). This > behavior in PHP is not obvious, and provides a way to covertly target and > hijack specific highly sensitive functions without an obvious way to detect > it -- while otherwise behaving exactly as a developer would expect. > > Why possibly would we want to make it easier to perform such an attack, which > as Illija pointed out is actually making PHP slower, in the name of backward > compatibility? Defense in depth is a cornerstone of application security. > > John
If you have the ability to inject arbitrary code, you've already lost. It doesn't matter whether they use this feature, or just register a shutdown function, autoloader, replace classes/functions/methods entirely, or whatever. Should we remove those features as well? — Rob
