Re: [Concept] Flip relative function lookup order (global, then local)

From:	John Coggeshall	Date:	Thu, 22 Aug 2024 17:56:30 +0000
Subject:	Re: [Concept] Flip relative function lookup order (global, then local)
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Aug 22 2024, at 4:09 am, Rob Landers <[email protected]> wrote:
>
> If you have the ability to inject arbitrary code, you've already lost. It doesn't
> matter whether they use this feature, or just register a shutdown function, autoloader, replace
> classes/functions/methods entirely, or whatever. Should we remove those features as well?
I think it's a fallacy to claim "well if they got this far the game is over" when it
comes to application security. There are a million ways an attacker could use this feature to
covertly gain access to things like passwords before they are encrypted, etc. that would enable
lateral movement within an organization that otherwise they might have difficulty achieving even
with RCE in a properly locked down system (e.g. PHP doesn't have the ability to write to the
filesystem / overwrite existing classes, etc.)
Regarding the subject at hand I've made my case here and we can agree to disagree -- changing
the function lookup order is an easy win with security benefits and, according to Ilija, performance
benefits. I think it should be seriously considered.
John


   

Thread (112 messages)

• Ilija ToviloFri, 02 Aug 2024 16:51:33 +0000
  • Rob LandersFri, 02 Aug 2024 17:08:36 +0000
    • Ilija ToviloSun, 04 Aug 2024 17:41:17 +0000
      • Alexandru PătrănescuTue, 20 Aug 2024 08:01:10 +0000
        • Nick LockheartTue, 20 Aug 2024 08:41:23 +0000
          • Rob LandersTue, 20 Aug 2024 09:01:34 +0000
        • Levi MorrisonTue, 20 Aug 2024 15:14:05 +0000
          • Ilija ToviloTue, 20 Aug 2024 17:04:39 +0000
            • Faizan Akram DarTue, 20 Aug 2024 21:56:50 +0000
              • Rob LandersTue, 20 Aug 2024 22:20:51 +0000
          • Christian SchneiderWed, 21 Aug 2024 02:24:00 +0000
            • Levi MorrisonWed, 21 Aug 2024 06:05:49 +0000
            • Faizan Akram DarWed, 21 Aug 2024 07:44:10 +0000
              • Christian SchneiderWed, 21 Aug 2024 09:22:40 +0000
      • Rowan Tommins [IMSoP]Thu, 22 Aug 2024 21:32:13 +0000
        • Mike SchinkelThu, 22 Aug 2024 23:15:19 +0000
          • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 06:39:41 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
            • Nick LockheartFri, 23 Aug 2024 07:27:39 +0000Re: [Concept] Flip relative function lookup order (global, then local)
              • Rob LandersFri, 23 Aug 2024 07:46:47 +0000
                • Nick LockheartFri, 23 Aug 2024 08:08:25 +0000
                  • Rob LandersFri, 23 Aug 2024 09:13:39 +0000
                    • Nick LockheartFri, 23 Aug 2024 09:34:06 +0000
                      • Christian SchneiderFri, 23 Aug 2024 10:14:28 +0000
                        • Rob LandersFri, 23 Aug 2024 10:27:21 +0000
                          • Christian SchneiderFri, 23 Aug 2024 12:56:21 +0000
                            • Rob LandersFri, 23 Aug 2024 13:16:19 +0000
                            • Mike SchinkelFri, 23 Aug 2024 13:44:39 +0000
                  • Mike SchinkelFri, 23 Aug 2024 11:52:01 +0000
                    • Christoph M. BeckerFri, 23 Aug 2024 12:13:44 +0000Re: [Concept] Flip relative function lookup order (global,then local)
                  • Stephen ReayFri, 23 Aug 2024 13:18:50 +0000
              • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 08:52:28 +0000
            • Mike SchinkelFri, 23 Aug 2024 11:29:04 +0000Re: [Concept] Flip relative function lookup order (global, then local)
              • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 11:50:10 +0000
                • Mike SchinkelFri, 23 Aug 2024 12:04:22 +0000
                  • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 12:33:45 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
                    • Mike SchinkelFri, 23 Aug 2024 12:45:38 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                      • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 13:07:14 +0000
                        • Mike SchinkelFri, 23 Aug 2024 13:28:33 +0000
        • Nick LockheartFri, 23 Aug 2024 00:42:38 +0000
          • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 08:16:26 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
            • Nick LockheartFri, 23 Aug 2024 09:27:20 +0000Re: [Concept] Flip relative function lookup order (global, then local)
              • Rob LandersFri, 23 Aug 2024 12:16:57 +0000
                • Rob LandersFri, 23 Aug 2024 12:23:11 +0000
            • Stephen ReayFri, 23 Aug 2024 09:58:02 +0000Re: [Concept] Flip relative function lookup order (global, then local)
              • Paul DragoonisFri, 23 Aug 2024 10:19:30 +0000
              • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 10:29:32 +0000
                • Stephen ReayFri, 23 Aug 2024 12:43:58 +0000
                  • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 13:20:55 +0000
                    • Stephen ReayFri, 23 Aug 2024 14:04:32 +0000
                      • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 15:49:37 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
                        • John CoggeshallFri, 23 Aug 2024 16:13:52 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                          • Stephen ReayFri, 23 Aug 2024 16:35:02 +0000
                            • John CoggeshallFri, 23 Aug 2024 17:10:48 +0000
                              • John CoggeshallFri, 23 Aug 2024 17:13:00 +0000
                        • Stephen ReayFri, 23 Aug 2024 16:27:35 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                          • John CoggeshallFri, 23 Aug 2024 16:56:32 +0000
                            • Stephen ReayFri, 23 Aug 2024 17:46:48 +0000
                              • John CoggeshallFri, 23 Aug 2024 18:37:39 +0000
                                • Stephen ReayFri, 23 Aug 2024 19:28:01 +0000
                        • Ilija ToviloFri, 23 Aug 2024 17:32:41 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                          • Stephen ReayFri, 23 Aug 2024 18:10:44 +0000
                            • Ilija ToviloFri, 23 Aug 2024 18:17:03 +0000
                              • Stephen ReaySat, 24 Aug 2024 11:54:09 +0000
                                • Ilija ToviloSat, 24 Aug 2024 17:01:48 +0000
                                  • Stephen ReaySat, 24 Aug 2024 18:16:13 +0000
                                    • Rob LandersSat, 24 Aug 2024 20:36:43 +0000
                                    • Rowan Tommins [IMSoP]Sat, 24 Aug 2024 22:58:16 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
                                      • Rob LandersSat, 24 Aug 2024 23:15:17 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                                      • Stephen ReaySun, 25 Aug 2024 05:27:41 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                          • John CoggeshallFri, 23 Aug 2024 18:19:26 +0000
                            • Ilija ToviloFri, 23 Aug 2024 18:21:27 +0000
                              • Mike SchinkelSun, 25 Aug 2024 02:23:20 +0000
                          • Rob LandersFri, 23 Aug 2024 18:19:49 +0000
                          • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 19:41:41 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
                            • John CoggeshallFri, 23 Aug 2024 19:47:01 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                            • Rob LandersFri, 23 Aug 2024 19:50:05 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                              • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 20:03:15 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
                            • Ilija ToviloFri, 23 Aug 2024 21:57:12 +0000Re: [Concept] Flip relative function lookup order (global, then local)
                              • Rob LandersSat, 24 Aug 2024 09:00:13 +0000
                                • Rob LandersSat, 24 Aug 2024 09:09:27 +0000
                                  • Stephen ReaySat, 24 Aug 2024 11:59:45 +0000
                                    • Rob LandersSat, 24 Aug 2024 12:32:28 +0000
                                    • Ilija ToviloSat, 24 Aug 2024 16:34:41 +0000
                                      • Stephen ReaySat, 24 Aug 2024 17:11:35 +0000
                                      • Rob LandersSat, 24 Aug 2024 20:26:26 +0000
              • Rowan Tommins [IMSoP]Fri, 23 Aug 2024 11:28:13 +0000
  • Rob LandersFri, 02 Aug 2024 17:14:56 +0000
  • Nick LockheartFri, 02 Aug 2024 17:19:41 +0000
    • Rowan Tommins [IMSoP]Fri, 02 Aug 2024 17:53:50 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
      • Nick LockheartFri, 02 Aug 2024 18:46:03 +0000Re: [Concept] Flip relative function lookup order (global, then local)
        • Rowan Tommins [IMSoP]Fri, 02 Aug 2024 20:30:42 +0000Re: [Concept] Flip relative fu nction lookup order (global, then local)
  • Thomas NunningerFri, 02 Aug 2024 17:49:54 +0000
  • Claude PacheFri, 02 Aug 2024 19:01:47 +0000
    • Ilija ToviloSun, 04 Aug 2024 17:53:11 +0000
      • Nick LockheartSun, 04 Aug 2024 18:07:27 +0000
  • BilgeFri, 02 Aug 2024 20:37:23 +0000
    • Nick LockheartFri, 02 Aug 2024 22:00:33 +0000
      • Christoph M. BeckerFri, 02 Aug 2024 22:48:27 +0000Re: [Concept] Flip relative function lookup order(global, then local)
      • DeleuFri, 02 Aug 2024 22:48:38 +0000
        • Nick LockheartSun, 04 Aug 2024 06:19:18 +0000Request for RFC Karma
          • Christoph M. BeckerSun, 04 Aug 2024 09:52:30 +0000
      • Rowan Tommins [IMSoP]Thu, 22 Aug 2024 21:40:45 +0000
    • John CoggeshallWed, 21 Aug 2024 08:23:13 +0000
      • Rob LandersWed, 21 Aug 2024 12:03:57 +0000
        • John CoggeshallWed, 21 Aug 2024 18:02:11 +0000
          • Ilija ToviloWed, 21 Aug 2024 18:10:50 +0000
            • John CoggeshallWed, 21 Aug 2024 18:32:55 +0000
              • John CoggeshallWed, 21 Aug 2024 18:35:29 +0000
              • Rob LandersThu, 22 Aug 2024 08:09:52 +0000
                • John CoggeshallThu, 22 Aug 2024 17:56:30 +0000
  • Derick RethansMon, 05 Aug 2024 11:23:50 +0000
    • Ilija ToviloMon, 05 Aug 2024 13:15:46 +0000