Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set_error_handler should accept "only globally callable callback" #14494

Open
mvorisek opened this issue Jun 7, 2024 · 10 comments
Open

set_error_handler should accept "only globally callable callback" #14494

mvorisek opened this issue Jun 7, 2024 · 10 comments
Labels
Feature Status: Needs Triage

Comments

@mvorisek
Copy link
Contributor

mvorisek commented Jun 7, 2024
edited
Loading

Description

see sebastianbergmann/phpunit#5844

set_error_handler (and set_exception_handler, maybe even more handlers) should accept only callables callable from any context. Accepting any callable like php does not is dangerous and unwanted, the error/exception can from any context.

I would expect php to evaluate "if the callable is callable" in global context on set phase.

repro: https://3v4l.org/mZ9E3

Resulted in this output:

...
Fatal error: Uncaught Error: Invalid callback Foo\SomeExternalDependency::logError, cannot access private
method Foo\SomeExternalDependency::logError()
...

But I expected this output instead:

Fatal error: Uncaught TypeError: set_error_handler(): Argument #1 ($callback) must be a valid globally
callable callback or null, Foo\SomeExternalDependency::logError() method is private"
...
@mvorisek mvorisek mentioned this issue Jun 7, 2024
Closed
@Girgias
Copy link
Member

Girgias commented Jun 7, 2024

I don't think that's the solution, we could just convert the callable to a proper closure.

@mvorisek
Copy link
Contributor Author

mvorisek commented Jun 7, 2024

Do you mean accepting only \Closure?

The linked issue is about restoring the handler, but this issue is about set_error_handler in general - as long as callable is accepted, this feature request is about requiring the parameter to be "only globally callable callable".

@kkmuffme
Copy link

Against it.

Here's an example of why this matters and is more important than ever to allowe non-public methods:
we use a private method error handler to ensure all user privacy related things are removed from a stack trace.
If we now had a composer dependency that would do what phpunit does, they could just remove our error handler, send a stack trace to their remote logging with user data included and then just restore our error handler.
There would be no way for us to know (unless we manually inspect 1000s of composer dependencies recursively used in various projects we use) that we might accidentally have a data privacy leak somewhere.

@mvorisek
Copy link
Contributor Author

private method/callable is not more secure than public \Closure as the private callable can be invoken by Closure::bind or reflection from any context.

@kkmuffme
Copy link

But it cannot be added back to the error handler callstack once it has been removed (from outside context)

@mvorisek
Copy link
Contributor Author

Good clear point, but if set_error_handler is called in rebound context, it still can :)

@kkmuffme
Copy link

Could you provide an example of what you mean, bc it's not fully clear to me

@mvorisek
Copy link
Contributor Author

https://3v4l.org/0Zf3P

@kkmuffme
Copy link

That's true but the instance of Foo is not the same as when we registered the exception handler, so we would know that someone tampered with it when logError is run

@sebastianbergmann
Copy link
Contributor

I would consider a pull requests that implements this, of course.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Status: Needs Triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sebastianbergmann @mvorisek @Girgias @kkmuffme