Hi
On 7/14/23 18:03, David Gebler wrote:
2) These expansions should probably be disabled by INI_SCANNER_RAW; that
flag already disables certain other types of value interpolation. (Oddly,
it doesn't disable expansion of constants either; that might be worth
revisiting as well.)
Environment va
This is a valid concern, as we are side-loading plugins in our
software, where plugin information is defined in a .ini file.
But somehow I thought that INI_SCANNER_TYPED was a bit like
INI_SCANNER_RAW but also able to handle null/true/false values.
Unfortunately it's not the case:
php > var_expo
On Jul 14, 2023, at 09:03, David Gebler wrote:
> On Fri, Jul 14, 2023 at 3:08 AM Dusk wrote:
>> 2) These expansions should probably be disabled by INI_SCANNER_RAW; that
>> flag already disables certain other types of value interpolation. (Oddly,
>> it doesn't disable expansion of constants either
On Fri, Jul 14, 2023 at 3:08 AM Dusk wrote:
> 2) These expansions should probably be disabled by INI_SCANNER_RAW; that
> flag already disables certain other types of value interpolation. (Oddly,
> it doesn't disable expansion of constants either; that might be worth
> revisiting as well.)
Envir
On Jul 13, 2023, at 18:34, David Gebler wrote:
> If you find any way to exploit this, you've already breached enough to
> have sufficient access to read the entire environment available to the PHP
> user anyway
I think Sergii's concern is that an application might be using
parse_ini_string() to
On Thu, Jul 13, 2023 at 10:25 PM Sergii Shymko wrote:
> For instance, functions parse_ini_string() and parse_ini_file() do support
> the aforementioned env variables syntax, because the underlying code is
> reused. That means that these functions can potentially be exploited to
> read sensitive i
Hi internals team,
The discussion of extending the .ini env variable parsing capabilities with
ability to specify defaults it occurred to me that the while feature of env
variables may have undesirable security implications.
For instance, functions parse_ini_string() and parse_ini_file() do sup