Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lock down include wrappers to avoid abuse from third parties #11015

Merged
merged 1 commit into from
Aug 31, 2022

Conversation

Seldaek
Copy link
Member

@Seldaek Seldaek commented Aug 20, 2022

It occurred to me that with static lambdas we can achieve the same effect as with those public functions, except we don't leave them open for use by third parties.

As a side-note @mir-hossein pointed out to me that it's sometimes used in attacks to bypass restrictions, I am not entirely sure how this would work but I guess some filtering may allow calls to includeFile() but not to include/require? In any case it seems like a good thing to close this potential vector.

I would target 2.5.0 with this because it may cause disruption to people using this function (even tho they really should not..) for "legit" cases, so I'd rather not have this in a patch release.

@Seldaek Seldaek added this to the 2.5 milestone Aug 20, 2022
@mir-hossein
Copy link

Thank you @Seldaek .
I will provide more details about the issue by Email.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants