Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strings with function names passed as context values are executed #6

Open
hugoFelippe opened this issue Oct 26, 2024 · 0 comments
Open

Strings with function names passed as context values are executed #6

hugoFelippe opened this issue Oct 26, 2024 · 0 comments

Comments

@hugoFelippe
Copy link

if a function name is passed as a context value, the function is executed automatically rather than being treated as a string. This can cause unintended behavior, as the user may not intend to call the function.

This could be a bigger problem if one of the values ​​comes from a value the user passed e.g. phpinfo

Example:

if the pestphp package is installed, this issue is triggered, and the function is executed, even if the intent is to pass it as a string.

$env = 'test';

StickyContext::defaultStack('application');
StickyContext::add('system.env', $env);

How to Reproduce: The problem can be reproduced using this repository: test-monolog-sticky-context.

Suggested solution:

  • Add a check to verify if the function requires parameters; if it does, prevent it from being executed automatically.
  • Create an "ignore list" of functions that should never be executed within the context, treating them as strings by default.
  • Consider adjusting the way parameters are passed so that function names can be clearly marked as functions and not mistakenly executed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hugoFelippe