php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #72999 assert_options should allow to disable evaluation of strings in assert()
Submitted: 2016-09-02 02:17 UTC Modified: 2018-03-12 16:12 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: php dot bohwaz at miam dot kd2 dot org Assigned:
Status: Open Package: PHP options/info functions
PHP Version: 5.6.25 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-09-02 02:17 UTC] php dot bohwaz at miam dot kd2 dot org 
Description:
------------
assert() being able to evaluate its first argument if it is a string can lead to security problems, especially on shared hosting where assertions are usually enabled by default.

This way assert() may be used as a way to execute malicious code.

A good idea for the next PHP 7 release would be to add an option to assert_options() to be able to disable the eval() feature of assert() for strings. An example of this idea:

<?php
assert_options(ASSERT_EVAL, false);

assert('print("OK");'); // evaluated as string => true, assertion successful
?>

And on the next major PHP version we could then disable evaluation by default (BC break), and still let users enable that if needed. This would improve default security of PHP installations.

Test script:
---------------
<?php

// Example of possible remote code execution

function getUser($id)
{
    assert($id, 'User ID is not present');
}

getUser($_GET['id']);

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-12 16:12 UTC] cmb@php.net
-Package: Unknown/Other Function +Package: PHP options/info functions
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved. 		Last updated: Fri May 24 21:01:26 2019 UTC