|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #72999 assert_options should allow to disable evaluation of strings in assert()
Submitted: 2016-09-02 02:17 UTC Modified: 2020-01-03 09:47 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: php dot bohwaz at miam dot kd2 dot org Assigned: nikic (profile)
Status: Closed Package: PHP options/info functions
PHP Version: 5.6.25 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: php dot bohwaz at miam dot kd2 dot org
New email:
PHP Version: OS:


 [2016-09-02 02:17 UTC] php dot bohwaz at miam dot kd2 dot org
assert() being able to evaluate its first argument if it is a string can lead to security problems, especially on shared hosting where assertions are usually enabled by default.

This way assert() may be used as a way to execute malicious code.

A good idea for the next PHP 7 release would be to add an option to assert_options() to be able to disable the eval() feature of assert() for strings. An example of this idea:

assert_options(ASSERT_EVAL, false);

assert('print("OK");'); // evaluated as string => true, assertion successful

And on the next major PHP version we could then disable evaluation by default (BC break), and still let users enable that if needed. This would improve default security of PHP installations.

Test script:

// Example of possible remote code execution

function getUser($id)
    assert($id, 'User ID is not present');



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-12 16:12 UTC]
-Package: Unknown/Other Function +Package: PHP options/info functions
 [2020-01-03 09:47 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-01-03 09:47 UTC]
Evaluation of strings in assert() has been deprecated in PHP 7.2 and removed in PHP 8.0, so I'm considering this as resolved.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Jul 26 01:01:23 2021 UTC