Hello, Chaining filters is becoming an increasingly popular primitive to exploit PHP applications:
- https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it.html + https://github.com/synacktiv/php_filter_chain_generator - https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle.html + https://github.com/synacktiv/php_filter_chains_oracle_exploit - https://www.ambionics.io/blog/wrapwrap-php-filters-suffix + https://github.com/ambionics/wrapwrap - https://www.ambionics.io/blog/lightyear-file-dump + https://github.com/ambionics/lightyear They provide increasingly powerful primitives ranging from arbitrary file read to arbitrary code execution, and are tedious to protect against, as filters can be used in a lot of places. The easiest way to kill this vector is to simply limit the number of filters that can be chained, as attacks require a at least a couple of them, while legitimate use usually use one or two tops, as highlighted by arnaud-lb's analysis: https://github.com/php/php-src/pull/16699#issuecomment-2462281938 I sent a pull-request to implement this: https://github.com/php/php-src/pull/16699 What do y'all think about this? -- Julien (jvoisin) Voisin GPG: 04D041E8171901CC dustri.org
