Hey Kamil,
On 23.7.2025 21:01:14, Kamil Tekiela wrote:
This would prevent most of the
vulnerabilities found in the dataset and we cannot think of a
valid use
case for allowing this behavior
But not all. This function is dangerous on its own. Attack vectors are
99% throug
>
> This would prevent most of the
vulnerabilities found in the dataset and we cannot think of a valid use
case for allowing this behavior
But not all. This function is dangerous on its own. Attack vectors are 99%
through superglobals but could come from other sources too. However, this
functio
Hey everyone,
as part of our security research, we studied the attack surface of the
extract() function when being called with user-controlled input. Calling
extract($_GET) allows an attacker to overwrite all variables in the
current scope, which could lead to vulnerabilities. We analyzed the
