Hi
On 7/14/23 18:03, David Gebler wrote:
2) These expansions should probably be disabled by INI_SCANNER_RAW; that
flag already disables certain other types of value interpolation. (Oddly,
it doesn't disable expansion of constants either; that might be worth
revisiting as well.)
Environment variable parsing is already disabled by INI_SCANNER_RAW mode,
isn't it? Personally I don't think the default/normal mode should behave
differently. If you're passing untrusted input to parse_ini_string, you
should be sanitizing, white listing or using raw mode anyway really.
Defaults matter. Developers should not need to provide
INI_SCANNER_PLEASE_DONT_PWN_ME to safely use a function.
Yes, the function is documented to behave "like php.ini's parsing", but
injecting potentially sensitive environment variables still violates the
principle of least surprise for me. Nothing about the function's
behavior or documentation indicates that it might be unsafe to use with
untrusted input data.
A short term improvement might be adding an explicit yellow warning to
the documentation page.
Best regards
Tim Düsterhus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
