|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-03-12 16:12 UTC] cmb@php.net
-Package: Unknown/Other Function
+Package: PHP options/info functions
[2020-01-03 09:47 UTC] nikic@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: nikic
[2020-01-03 09:47 UTC] nikic@php.net
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2020 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 02 23:01:23 2020 UTC |
Description: ------------ assert() being able to evaluate its first argument if it is a string can lead to security problems, especially on shared hosting where assertions are usually enabled by default. This way assert() may be used as a way to execute malicious code. A good idea for the next PHP 7 release would be to add an option to assert_options() to be able to disable the eval() feature of assert() for strings. An example of this idea: <?php assert_options(ASSERT_EVAL, false); assert('print("OK");'); // evaluated as string => true, assertion successful ?> And on the next major PHP version we could then disable evaluation by default (BC break), and still let users enable that if needed. This would improve default security of PHP installations. Test script: --------------- <?php // Example of possible remote code execution function getUser($id) { assert($id, 'User ID is not present'); } getUser($_GET['id']);