Allow disabling treatment of variable type of string as callable

[erikkubica]

Description

Hi,

I strongly stand by my opinion that variable type of string should not be treated as a callable if the content of variable is a function name.

Example from the documentation:

$increment = 'increment';
$increment($a);

This allows attackers who are using other exploits to inject malicious code to the website to literally execute any code using input variables such as cookies for example:

<?php   
// index.php
// simulate some cookies
$_COOKIE = [];
$_COOKIE['1'] = "she";
$_COOKIE['2'] = "ll_";
$_COOKIE['3'] = "exec";
$_COOKIE['321'] = 'echo ^<?php echo \'hello from shell\'; > shell_test.php';
$_COOKIE['567'] = "php shell_test.php";

// now the malicious code already planted in the website using other security holes
$nums = ["1", "2", "3", "321", "567"];
$_test = $_COOKIE;
$_t = $_test[$nums[0]] . $_test[$nums[1]] . $_test[$nums[2]];
@$_t($_test[$nums[3]]);
echo $_t($_test[$nums[4]]);

Normally this should not happen (to have code like this on the website), but if it happens due to some other security hole and someone is trying to find malicious code in thousands of files for example by scanning, it's much easier to find instances of call_user_func or eval than instance of code that builds up function names and function arguments using arrays or other disguising strategies.

Think of this as a safety-switch on a gun. It's there to prevent accidents, not to prevent intentional shooting.

call_user_func is in this case the safety switch and treating string as callable is the broken mechanism of the safety switch.

Also the other issue I have with this is that as PHP is moving to be more type-strict language, I see no reason to treat runtime type of string as a callable type.

My suggestion is to make a php.ini option to disable this feature or remove this feature completely to prevent changing configuration in the runtime.

This feature request would improve the type-strictness of future PHP versions and also reduce the number of ways to write malicious code therefore making the web safer place for all of us.

Thanks for you time

[cmb69]

This certainly requires the RFC process.

[erikkubica]

This certainly requires the RFC process.

thanks, I am adding this to my long-term todo. Looks like a lengthy process for a noob like me.

[cmb69]

I might be wrong, but I don't think such an RFC has a change to succeed. After all, way too much code would be broken by disallowing strings as callables. The first class callable syntax is available as of PHP 8.1.0, so in the long run deprecating callable strings (and arrays) might be reasonable.

[github-actions]

There has not been any recent activity in this feature request. It will automatically be closed in 14 days if no further action is taken. Please see https://github.com/probot/stale#is-closing-stale-issues-really-a-good-idea to understand why we auto-close stale feature requests.