I think there is some idea we can borrow from the discussion of unserialize security policy. `extract` should not be used on untrusted input, and that's it.
Best regrads, CHU Zhaowei On Fri, Sep 15, 2017 at 7:20 PM, <ilija.tov...@me.com> wrote: > Hi! > > The `extract` function takes an associative array and puts it into the > local symbol table. > http://php.net/manual/en/function.extract.php > > ``` > $array = [ > ??foo?? => ??foo??, > ??bar?? => ??bar??, > ]; > > extract($array); > > print $foo; // "foo" > ``` > > As a second parameter the `extract` function takes some options to make > this function less dangerous, like `EXTR_SKIP` that prevents an existing > local variable of being overwritten. There??s a few more options, go ahead > and take a look at the documentation. `EXTR_OVERWRITE` is the default one > though. You can also pass a prefix for the variable names as a third > argument. > > I seriously doubt the usefulness of this function, especially looking at > the potential risks. The fact that overwriting the local variables is the > default behaviour doesn??t make it any better. I suggest deprecating it in > PHP 7.3 and removing it in 8. > > In a whole Symfony-Stack (3.4) with all of it??s dependencies I could only > find two usages of this function, both of which could be easily rewritten > in vanilla PHP: > https://github.com/symfony/symfony/blob/master/src/ > Symfony/Component/Templating/PhpEngine.php#L148 > https://github.com/symfony/symfony/blob/master/src/ > Symfony/Component/Templating/PhpEngine.php#L158 > > Only downside: A polyfill is probably impossible since you cannot mutate > the local symbol table of the callee (as far as I??m aware). > > Any thoughts? > > Regards > > >
