php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76666 create_function code evasion
Submitted: 2018-07-26 04:01 UTC Modified: 2018-07-26 06:43 UTC
From: i at sym01 dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2018-07-26 04:01 UTC] i at sym01 dot com 
Description:
------------
create_function can execute PHP code directly, which may cause some security problems.

Test script:
---------------
<?php
echo "result: ";

$payload1 = <<<EOF
echo 'normal';
EOF;

create_function('', $payload1);

$payload2 = <<<EOF
}
echo '[VULN]';//
EOF;

create_function('', $payload2);

Expected result:
----------------
result: 

Actual result:
--------------
result: [VULN]

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-26 06:43 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2018-07-26 06:43 UTC] requinix@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

http://php.net/manual/en/function.create-function.php
> Caution
> This function internally performs an eval() and as such has the same security issues as eval(). Additionally it
> has bad performance and memory usage characteristics.
> If you are using PHP 5.3.0 or newer a native anonymous function should be used instead.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 03:01:29 2024 UTC