Re: [Concept] Flip relative function lookup order (global, then local)

From:	John Coggeshall	Date:	Wed, 21 Aug 2024 18:32:55 +0000
Subject:	Re: [Concept] Flip relative function lookup order (global, then local)
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Aug 21 2024, at 2:10 pm, Ilija Tovilo <[email protected]> wrote:
>
> Including a malicious composer package already allows for arbitrary
> code execution, do you really need more than that?
>

Of course. We've seen many examples in the wild of 3rd party libraries getting hijacked to
inject malicious code (e.g. the whole xz attack). This behavior in PHP is not obvious, and provides
a way to covertly target and hijack specific highly sensitive functions without an obvious way to
detect it -- while otherwise behaving exactly as a developer would expect.
Why possibly would we want to make it easier to perform such an attack, which as Illija pointed out
is actually making PHP slower, in the name of backward compatibility? Defense in depth is a
cornerstone of application security.
John


   

Thread (112 messages)

• Ilija ToviloFri, 02 Aug 2024 16:51:33 +0000
  • Rob LandersFri, 02 Aug 2024 17:08:36 +0000
    • Ilija ToviloSun, 04 Aug 2024 17:41:17 +0000
      • Alexandru PătrănescuTue, 20 Aug 2024 08:01:10 +0000
        • Nick LockheartTue, 20 Aug 2024 08:41:23 +0000
          • Rob LandersTue, 20 Aug 2024 09:01:34 +0000
        • Levi MorrisonTue, 20 Aug 2024 15:14:05 +0000
          • Ilija ToviloTue, 20 Aug 2024 17:04:39 +0000
            • Faizan Akram DarTue, 20 Aug 2024 21:56:50 +0000
              • Rob LandersTue, 20 Aug 2024 22:20:51 +0000
          • Christian SchneiderWed, 21 Aug 2024 02:24:00 +0000
            • Levi MorrisonWed, 21 Aug 2024 06:05:49 +0000
            • Faizan Akram DarWed, 21 Aug 2024 07:44:10 +0000
              • Christian SchneiderWed, 21 Aug 2024 09:22:40 +0000
      • Rowan Tommins [IMSoP]Thu, 22 Aug 2024 21:32:13 +0000
        • Mike SchinkelThu, 22 Aug 2024 23:15:19 +0000
          • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 06:39:41 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
            • Nick LockheartFri, 23 Aug 2024 07:27:39 +0000Re: [Concept] Flip relative function lookup order (global, then local)
              • Rob LandersFri, 23 Aug 2024 07:46:47 +0000
                • Nick LockheartFri, 23 Aug 2024 08:08:25 +0000
                  • Rob LandersFri, 23 Aug 2024 09:13:39 +0000
                    • Nick LockheartFri, 23 Aug 2024 09:34:06 +0000
                      • Christian SchneiderFri, 23 Aug 2024 10:14:28 +0000
                        • Rob LandersFri, 23 Aug 2024 10:27:21 +0000
                          • Christian SchneiderFri, 23 Aug 2024 12:56:21 +0000
                            • Rob LandersFri, 23 Aug 2024 13:16:19 +0000
                            • Mike SchinkelFri, 23 Aug 2024 13:44:39 +0000
                  • Mike SchinkelFri, 23 Aug 2024 11:52:01 +0000
                    • Christoph M. BeckerFri, 23 Aug 2024 12:13:44 +0000Re: [Concept] Flip relative function lookup order (global,then local)
                  • Stephen ReayFri, 23 Aug 2024 13:18:50 +0000
              • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 08:52:28 +0000
            • Mike SchinkelFri, 23 Aug 2024 11:29:04 +0000Re: [Concept] Flip relative function lookup order (global, then local)
              • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 11:50:10 +0000
                • Mike SchinkelFri, 23 Aug 2024 12:04:22 +0000
                  • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 12:33:45 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
                    • Mike SchinkelFri, 23 Aug 2024 12:45:38 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                      • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 13:07:14 +0000
                        • Mike SchinkelFri, 23 Aug 2024 13:28:33 +0000
        • Nick LockheartFri, 23 Aug 2024 00:42:38 +0000
          • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 08:16:26 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
            • Nick LockheartFri, 23 Aug 2024 09:27:20 +0000Re: [Concept] Flip relative function lookup order (global, then local)
              • Rob LandersFri, 23 Aug 2024 12:16:57 +0000
                • Rob LandersFri, 23 Aug 2024 12:23:11 +0000
            • Stephen ReayFri, 23 Aug 2024 09:58:02 +0000Re: [Concept] Flip relative function lookup order (global, then local)
              • Paul DragoonisFri, 23 Aug 2024 10:19:30 +0000
              • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 10:29:32 +0000
                • Stephen ReayFri, 23 Aug 2024 12:43:58 +0000
                  • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 13:20:55 +0000
                    • Stephen ReayFri, 23 Aug 2024 14:04:32 +0000
                      • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 15:49:37 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
                        • John CoggeshallFri, 23 Aug 2024 16:13:52 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                          • Stephen ReayFri, 23 Aug 2024 16:35:02 +0000
                            • John CoggeshallFri, 23 Aug 2024 17:10:48 +0000
                              • John CoggeshallFri, 23 Aug 2024 17:13:00 +0000
                        • Stephen ReayFri, 23 Aug 2024 16:27:35 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                          • John CoggeshallFri, 23 Aug 2024 16:56:32 +0000
                            • Stephen ReayFri, 23 Aug 2024 17:46:48 +0000
                              • John CoggeshallFri, 23 Aug 2024 18:37:39 +0000
                                • Stephen ReayFri, 23 Aug 2024 19:28:01 +0000
                        • Ilija ToviloFri, 23 Aug 2024 17:32:41 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                          • Stephen ReayFri, 23 Aug 2024 18:10:44 +0000
                            • Ilija ToviloFri, 23 Aug 2024 18:17:03 +0000
                              • Stephen ReaySat, 24 Aug 2024 11:54:09 +0000
                                • Ilija ToviloSat, 24 Aug 2024 17:01:48 +0000
                                  • Stephen ReaySat, 24 Aug 2024 18:16:13 +0000
                                    • Rob LandersSat, 24 Aug 2024 20:36:43 +0000
                                    • Rowan Tommins [IMSoP]Sat, 24 Aug 2024 22:58:16 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
                                      • Rob LandersSat, 24 Aug 2024 23:15:17 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                                      • Stephen ReaySun, 25 Aug 2024 05:27:41 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                          • John CoggeshallFri, 23 Aug 2024 18:19:26 +0000
                            • Ilija ToviloFri, 23 Aug 2024 18:21:27 +0000
                              • Mike SchinkelSun, 25 Aug 2024 02:23:20 +0000
                          • Rob LandersFri, 23 Aug 2024 18:19:49 +0000
                          • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 19:41:41 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
                            • John CoggeshallFri, 23 Aug 2024 19:47:01 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                            • Rob LandersFri, 23 Aug 2024 19:50:05 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                              • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 20:03:15 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
                            • Ilija ToviloFri, 23 Aug 2024 21:57:12 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                              • Rob LandersSat, 24 Aug 2024 09:00:13 +0000
                                • Rob LandersSat, 24 Aug 2024 09:09:27 +0000
                                  • Stephen ReaySat, 24 Aug 2024 11:59:45 +0000
                                    • Rob LandersSat, 24 Aug 2024 12:32:28 +0000
                                    • Ilija ToviloSat, 24 Aug 2024 16:34:41 +0000
                                      • Stephen ReaySat, 24 Aug 2024 17:11:35 +0000
                                      • Rob LandersSat, 24 Aug 2024 20:26:26 +0000
              • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 11:28:13 +0000
  • Rob LandersFri, 02 Aug 2024 17:14:56 +0000
  • Nick LockheartFri, 02 Aug 2024 17:19:41 +0000
    • Rowan Tommins [IMSoP]Fri, 02 Aug 2024 17:53:50 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
      • Nick LockheartFri, 02 Aug 2024 18:46:03 +0000Re: [Concept] Flip relative function lookup order (global, then local)
        • Rowan Tommins [IMSoP]Fri, 02 Aug 2024 20:30:42 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
  • Thomas NunningerFri, 02 Aug 2024 17:49:54 +0000
  • Claude PacheFri, 02 Aug 2024 19:01:47 +0000
    • Ilija ToviloSun, 04 Aug 2024 17:53:11 +0000
      • Nick LockheartSun, 04 Aug 2024 18:07:27 +0000
  • BilgeFri, 02 Aug 2024 20:37:23 +0000
    • Nick LockheartFri, 02 Aug 2024 22:00:33 +0000
      • Christoph M. BeckerFri, 02 Aug 2024 22:48:27 +0000Re: [Concept] Flip relative function lookup order(global, then local)
      • DeleuFri, 02 Aug 2024 22:48:38 +0000
        • Nick LockheartSun, 04 Aug 2024 06:19:18 +0000Request for RFC Karma
          • Christoph M. BeckerSun, 04 Aug 2024 09:52:30 +0000
      • Rowan Tommins [IMSoP]Thu, 22 Aug 2024 21:40:45 +0000
    • John CoggeshallWed, 21 Aug 2024 08:23:13 +0000
      • Rob LandersWed, 21 Aug 2024 12:03:57 +0000
        • John CoggeshallWed, 21 Aug 2024 18:02:11 +0000
          • Ilija ToviloWed, 21 Aug 2024 18:10:50 +0000
            • John CoggeshallWed, 21 Aug 2024 18:32:55 +0000
              • John CoggeshallWed, 21 Aug 2024 18:35:29 +0000
              • Rob LandersThu, 22 Aug 2024 08:09:52 +0000
                • John CoggeshallThu, 22 Aug 2024 17:56:30 +0000
  • Derick RethansMon, 05 Aug 2024 11:23:50 +0000
    • Ilija ToviloMon, 05 Aug 2024 13:15:46 +0000