On 29.12.2018 at 00:59, Stanislav Malyshev wrote: > If this extension were not enabled by default and required explicit > enabling action to build - that's fine, if you did it, we assume you > know what you're doing enough to assume the risk. But if it's present > and enabled by default in a common PHP build, I am concerned that we're > creating a small stepstone making PHP systems easier to exploit. Again, > it's not a security issue per se, and there are layers of that should > prevent any problem - but that's the thing, security works in layers, > and FFI would make it one layer weaker.
As I understand it, the extension would not be compiled by default, but rather has to be enabled using an explicit --with-ffi configure option[1] (or --enable-ffi on Windows[2]). Furthermore, the extension can't be compiled statically (I presume this is by design), so some action would already be required before ffi.enable=preload would be effective. [1] <https://github.com/dstogov/php-ffi/blob/6c43a0072da2879e77bffd21d10fb28c0e3c2878/config.m4#L3-L6> [2] <https://github.com/dstogov/php-ffi/blob/6c43a0072da2879e77bffd21d10fb28c0e3c2878/config.w32#L1-L3> -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
