php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #72999 assert_options should allow to disable evaluation of strings in assert()
Submitted: 2016-09-02 02:17 UTC Modified: 2018-03-12 16:12 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: php dot bohwaz at miam dot kd2 dot org Assigned:
Status: Open Package: PHP options/info functions
PHP Version: 5.6.25 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: php dot bohwaz at miam dot kd2 dot org
New email:
PHP Version: OS:

 

 [2016-09-02 02:17 UTC] php dot bohwaz at miam dot kd2 dot org
Description:
------------
assert() being able to evaluate its first argument if it is a string can lead to security problems, especially on shared hosting where assertions are usually enabled by default.

This way assert() may be used as a way to execute malicious code.

A good idea for the next PHP 7 release would be to add an option to assert_options() to be able to disable the eval() feature of assert() for strings. An example of this idea:

<?php
assert_options(ASSERT_EVAL, false);

assert('print("OK");'); // evaluated as string => true, assertion successful
?>

And on the next major PHP version we could then disable evaluation by default (BC break), and still let users enable that if needed. This would improve default security of PHP installations.

Test script:
---------------
<?php

// Example of possible remote code execution

function getUser($id)
{
    assert($id, 'User ID is not present');
}

getUser($_GET['id']);



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-12 16:12 UTC] cmb@php.net
-Package: Unknown/Other Function +Package: PHP options/info functions
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 08 18:01:24 2019 UTC