On Tue, 7 Nov 2023 at 10:33, Thomas Chauchefoin via internals < internals@lists.php.net> wrote:
> Hey, > > I recently opened an issue on GitHub [1] to discuss setting > register_argc_argv to Off by default for all SAPIs but cli, embed, and > phpdbg. Ilija Tovilo suggested including this change in 8.4.0. > > Even though most downstream distributions already turn it off, that's > not the case everywhere. For instance, the official Docker image has > it on [2]. Outside of performance reasons, this also has a security > impact because it eases the exploitation of limited LFI bugs [3] and > CLI tools stored under the web root [4]. > > -Thomas > > [1]: https://github.com/php/php-src/issues/12344 > [2]: https://hub.docker.com/_/php > [3]: https://www.youtube.com/watch?v=yq2rq50IMSQ > [4]: https://github.com/advisories/GHSA-jm6m-4632-36hf > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > This sounds sensible to me. Best regards, Gina/George P. Banyard
