create_function() will be gone as of PHP 8 anyway. For eval(), e.g. psysh uses it (and, as a result, e.g. Laravel Tinker). So defaulting eval to disabled doesn't seem tenable. Not what I'm asking anyway...I just want the *ability* to turn it off (likely only in apache/fpm configs actually, leaving it on for the CLI).
On Tue, Nov 26, 2019 at 3:44 PM Mike Schinkel <m...@newclarity.net> wrote: > On Nov 26, 2019, at 11:27 AM, Ian Littman <ians...@gmail.com> wrote: > > > You're right that turning off eval() isn't a silver bullet, and if you can > get external code running on someone's box there are a lot worse things you > can do. > > On Tue, Nov 26, 2019 at 10:11 AM Benjamin Morel <benjamin.mo...@gmail.com> > wrote: > > Hi Ian, > > IMO, eval() is secure, as long as: > > - you’re not using it, or > - you’re using it properly > > I’d say that as soon as your server has been compromised, eval() is the > last of your worries, as pretty much anything becomes possible, including > writing PHP code to a file and including/executing it. So I feel like > disabling eval() will just make « hackers » have a good laugh > > > > There *might* be a good argument for turning it eval() and > create_function() off by default for command-line use? > > #jmtcw > > -Mike > >
