PHP :: Bug #76666 :: create_function code evasion

Bug #76666	create_function code evasion
Submitted:	2018-07-26 04:01 UTC	Modified:	2018-07-26 06:43 UTC
From:	i at sym01 dot com	Assigned:
Status:	Not a bug	Package:	*General Issues
PHP Version:	Irrelevant	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

[2018-07-26 04:01 UTC] i at sym01 dot com

Description:
------------
create_function can execute PHP code directly, which may cause some security problems.

Test script:
---------------
<?php
echo "result: ";

$payload1 = <<<EOF
echo 'normal';
EOF;

create_function('', $payload1);

$payload2 = <<<EOF
}
echo '[VULN]';//
EOF;

create_function('', $payload2);

Expected result:
----------------
result: 

Actual result:
--------------
result: [VULN]

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-07-26 06:43 UTC] requinix@php.net

-Status: Open +Status: Not a bug

[2018-07-26 06:43 UTC] requinix@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

http://php.net/manual/en/function.create-function.php
> Caution
> This function internally performs an eval() and as such has the same security issues as eval(). Additionally it
> has bad performance and memory usage characteristics.
> If you are using PHP 5.3.0 or newer a native anonymous function should be used instead.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Dec 20 09:00:01 2025 UTC