|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #72999 assert_options should allow to disable evaluation of strings in assert()
Submitted: 2016-09-02 02:17 UTC Modified: 2020-01-03 09:47 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: php dot bohwaz at miam dot kd2 dot org Assigned: nikic (profile)
Status: Closed Package: PHP options/info functions
PHP Version: 5.6.25 OS: All
Private report: No CVE-ID: None
 [2016-09-02 02:17 UTC] php dot bohwaz at miam dot kd2 dot org
assert() being able to evaluate its first argument if it is a string can lead to security problems, especially on shared hosting where assertions are usually enabled by default.

This way assert() may be used as a way to execute malicious code.

A good idea for the next PHP 7 release would be to add an option to assert_options() to be able to disable the eval() feature of assert() for strings. An example of this idea:

assert_options(ASSERT_EVAL, false);

assert('print("OK");'); // evaluated as string => true, assertion successful

And on the next major PHP version we could then disable evaluation by default (BC break), and still let users enable that if needed. This would improve default security of PHP installations.

Test script:

// Example of possible remote code execution

function getUser($id)
    assert($id, 'User ID is not present');



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-12 16:12 UTC]
-Package: Unknown/Other Function +Package: PHP options/info functions
 [2020-01-03 09:47 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-01-03 09:47 UTC]
Evaluation of strings in assert() has been deprecated in PHP 7.2 and removed in PHP 8.0, so I'm considering this as resolved.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Aug 01 11:01:24 2021 UTC