On Wed, Aug 21, 2024, at 20:32, John Coggeshall wrote:
>
>
> On Aug 21 2024, at 2:10 pm, Ilija Tovilo <[email protected]> wrote:
>>
>> Including a malicious composer package already allows for arbitrary
>> code execution, do you really need more than that?
>
> Of course. We've seen many examples in the wild of 3rd party libraries getting hijacked to
> inject malicious code (e.g. the whole xz attack).. This behavior in PHP is not
> obvious, and provides a way to covertly target and hijack specific highly sensitive functions
> without an obvious way to detect it -- while otherwise behaving exactly as a developer would expect.
>
> Why possibly would we want to make it easier to perform such an attack, which as Illija pointed
> out is actually making PHP slower, in the name of backward compatibility? Defense in depth is a
> cornerstone of application security.
>
> John
If you have the ability to inject arbitrary code, you've already lost. It doesn't matter
whether they use this feature, or just register a shutdown function, autoloader, replace
classes/functions/methods entirely, or whatever. Should we remove those features as well?
— Rob