Upcoming Hardening in PHP

The linked <i>CVE-2024-2961</i> article is a pretty fantastic read on its own:<p><a href="https:&#x2F;&#x2F;www.ambionics.io&#x2F;blog&#x2F;iconv-cve-2024-2961-p1" rel="nofollow">https:&#x2F;&#x2F;www.ambionics.io&#x2F;blog&#x2F;iconv-cve-2024-2961-p1</a><p>People are so creative, I can&#x27;t help but feel some hope for our future :)

<i>&gt; I find it fascinating that people are putting so much efforts optimizing exploitation techniques, yet ~nobody bothers fixing them, even if it only takes a couple of lines of code and 20 minutes.</i><p>There&#x27;s definite reward in having a 0-day. Either you can get a bounty, or sell it in the hacker-souk.<p>That &quot;couple of lines of code and 20 minutes&quot; is sort of in the eye of the beholder. If you are a highly-experienced language developer, the fixes are likely to be a lot more obvious, simpler, more comprehensive, and robust, than if you are a relatively junior IC.

Something I&#x27;d really like is for PHP to somehow be stricter on the number of arguments passed to a function.<p>As of now, PHP emits an error if arguments are missing but not if there are too many.<p>A way to bake that in without breaking old code would be to allow function definition to put an explicit stop to the argument list, for example using the void type keyword:<p><pre><code> function foo (int $a, string $b, void) : bool { ... } </code></pre> A few month ago I discussed this on the development mailing list and people seemed to agree and even suggested that this would be a good idea by default without the keyword thing I suggested. But I never got the time to properly write an RFC. There is already an old one from years ago that was voted against but In was told it was from before anything strict and typing related was considered important in PHP. If anyone&#x27;s up to it, please write this RFC :) !

&gt; Suggestion to make those parts read-only was rejected as a 0.6% performance impact was deemed too expensive for too little gain.<p>Big Oof. :( :( :(

&gt; I find it fascinating that people are putting so much efforts optimizing exploitation techniques, yet ~nobody bothers fixing them, even if it only takes a couple of lines of code and 20 minutes.<p>Like it or not, exploiting seems just more fun and rewarding. A lot of people will be interested to learn on your blog how you came to find and exploit a vulnerability. The 10 line of code patch gets little attention. Not even taking into consideration bug bounties...

Are these issues very particular to PHP? Honest question, this is all above my current programming knowledge.

Off topic: there are two key technologies that &quot;digitalized and computerized&quot; the World: Visual Basic and PHP. And Excel.

I found the solution:<p>sudo apt-get purge php.*

### Структура проекта<p>``` project&#x2F; ├── data&#x2F; │ └── surveys.json ├── app.js └── package.json ```<p>### Шаг 1: Инициализация проекта<p>1. Создаем папку проекта и переходим в неё:<p><pre><code> ```bash mkdir project cd project ``` </code></pre> 2. Инициализируем npm:<p><pre><code> ```bash npm init -y ``` </code></pre> 3. Устанавливаем Express.js:<p><pre><code> ```bash npm install express ``` </code></pre> ### Шаг 2: Создаем файл `surveys.json` для хранения опросов<p>Создаем папку `data` и файл `surveys.json` в ней с начальным содержимым:<p>```json [] ```<p>Это будет массив объектов, где каждый объект — отдельный опрос.<p>### Шаг 3: Создаем файл `app.js` для серверной логики<p>Вот код для `app.js`:<p>```javascript const express = require(&#x27;express&#x27;); const fs = require(&#x27;fs&#x27;); const app = express();<p>app.use(express.json());<p>const surveysFilePath = &#x27;.&#x2F;data&#x2F;surveys.json&#x27;;<p>&#x2F;&#x2F; Функция для чтения данных из файла const readSurveys = () =&gt; { const data = fs.readFileSync(surveysFilePath, &#x27;utf-8&#x27;); return JSON.parse(data); };<p>&#x2F;&#x2F; Функция для записи данных в файл const writeSurveys = (surveys) =&gt; { fs.writeFileSync(surveysFilePath, JSON.stringify(surveys, null, 2)); };<p>&#x2F;&#x2F; Создание нового опроса app.post(&#x27;&#x2F;surveys&#x27;, (req, res) =&gt; { const surveys = readSurveys(); const newSurvey = { id: Date.now(), ...req.body, editable: true }; surveys.push(newSurvey); writeSurveys(surveys); res.status(201).json(newSurvey); });<p>&#x2F;&#x2F; Получение всех опросов app.get(&#x27;&#x2F;surveys&#x27;, (req, res) =&gt; { const surveys = readSurveys(); res.json(surveys); });<p>&#x2F;&#x2F; Редактирование опроса (если он редактируемый) app.put(&#x27;&#x2F;surveys&#x2F;:id&#x27;, (req, res) =&gt; { const surveys = readSurveys(); const surveyId = parseInt(req.params.id); const surveyIndex = surveys.findIndex(survey =&gt; survey.id === surveyId);<p><pre><code> if (surveyIndex === -1) { return res.status(404).json({ error: &#x27;Survey not found&#x27; }); } if (!surveys[surveyIndex].editable) { return res.status(403).json({ error: &#x27;Survey cannot be edited&#x27; }); } surveys[surveyIndex] = { ...surveys[surveyIndex], ...req.body, editable: false }; writeSurveys(surveys); res.json(surveys[surveyIndex]);</code></pre> });<p>&#x2F;&#x2F; Удаление опроса app.delete(&#x27;&#x2F;surveys&#x2F;:id&#x27;, (req, res) =&gt; { const surveys = readSurveys(); const surveyId = parseInt(req.params.id); const newSurveys = surveys.filter(survey =&gt; survey.id !== surveyId);<p><pre><code> if (newSurveys.length === surveys.length) { return res.status(404).json({ error: &#x27;Survey not found&#x27; }); } writeSurveys(newSurveys); res.status(204).send();</code></pre> });<p>&#x2F;&#x2F; Запуск сервера const PORT = 3000; app.listen(PORT, () =&gt; { console.log(`Server is running on <a href="http:&#x2F;&#x2F;localhost:${PORT}`);" rel="nofollow">http:&#x2F;&#x2F;localhost:${PORT}`);</a> }); ```<p>### Пояснение к коду:<p>1. *Маршруты*: - `POST &#x2F;surveys` – создание нового опроса с полем `editable: true`. - `GET &#x2F;surveys` – получение всех опросов. - `PUT &#x2F;surveys&#x2F;:id` – редактирование опроса по ID, если `editable: true`, после чего `editable` становится `false`. - `DELETE &#x2F;surveys&#x2F;:id` – удаление опроса по ID.<p>2. *Функции*: - `readSurveys` – читает данные из JSON-файла. - `writeSurveys` – записывает данные в JSON-файл.<p>### Шаг 4: Запуск проекта<p>Запустите сервер командой:<p>```bash node app.js ```<p>Теперь API будет доступен по адресу `<a href="http:&#x2F;&#x2F;localhost:3000" rel="nofollow">http:&#x2F;&#x2F;localhost:3000</a>`.

That&#x27;s good, PHP is too permissive

The real question is why does PHP have so many bugs that it&#x27;s so trivial to exploit?