On Jul 13, 2023, at 18:34, David Gebler <davidgeb...@gmail.com> wrote: > If you find any way to exploit this, you've already breached enough to > have sufficient access to read the entire environment available to the PHP > user anyway
I think Sergii's concern is that an application might be using parse_ini_string() to transform user-provided string data into an array, and that it might not expect environment variables to be expanded in this context. IMO, this is a valid concern, and: 1) Expansion of environment variables and php_ini settings needs to be mentioned more prominently in the documentation for parse_ini_string() and parse_ini_file(), with an explicit caution against using the functions on untrusted input. 2) These expansions should probably be disabled by INI_SCANNER_RAW; that flag already disables certain other types of value interpolation. (Oddly, it doesn't disable expansion of constants either; that might be worth revisiting as well.) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
