Want to create an interactive transcript for this episode?
Podcast: Chaos Computer Club - recent audio-only feed
Episode: Extract: A PHP Foot-Gun Case Study (god2025)
Description: Do you always read the documentation before using a function in your languages' standard library? This talk explores the attack surface of a special feature in PHP which is easy to misuse with unforseen consequences. The `extract` function allows to replace the value of local variables named after the keys in an array. Calling it with user-controlled input allows the attacker to change arbitrary variables in the program. The documentation warns against the dangers of using it with untrusted data, but our large-scale analysis on 28.325 PHP projects from GitHub shows, that this warning is ignored.
The talk walks through the...