Thanks for the reference. For convenience, here's the PR that contains a bit more context: https://github.com/php/php-src/pull/4084
Definitely don't want to screw up Xdebug, so this would require a more nuanced approach (see also: why I don't want to just try to create a patch). Again, this doesn't solve attack vectors where attackers can write to the FS and then include from it. But it does close one-step "read from this URL, base64-decode, and eval the result" approaches. One less tool in the hacker toolbox for "cleanly" executing arbitrary code is all I'm looking for here. Ian On Tue, Nov 26, 2019 at 12:45 PM Guilliam Xavier <guilliam.xav...@gmail.com> wrote: > For the record, a few months ago, > https://github.com/php/php-src/pull/4084 (extending > `disable_functions` to handle `eval`) was first merged but finally > reverted (requested by Xdebug), and the feature request > https://bugs.php.net/bug.php?id=62397 was closed (with an > explanation). > > -- > Guilliam Xavier >
