frankenphp icon indicating copy to clipboard operation
frankenphp copied to clipboard
verified publisher icon php

Globals leak out of request in worker mode

Open withinboredom opened this issue 3 years ago • 3 comments

Probably related to #85.

Take the following code:

<?php

do {
	$running = frankenphp_handle_request(
		function () {
			global $global;
			echo $global ?? 'no global';
			$global = 'global';
		}
	);
} while ($running);

After a worker does the first request, "global" will be output instead of "no global" which I (personally) wasn't expecting. Is this expected? I was under the expectation that super-globals are always reset (at least that is what it looks like is going on in the docs).

withinboredom avatar Nov 11 '22 23:11 withinboredom

This looks intended to me. What would you except instead?

The context of the worker script is kept between requests, only super globals are reset, and globals aren't super global.

dunglas avatar Nov 12 '22 01:11 dunglas

only super globals are reset, and globals aren't super global.

Globals are in the $GLOBALS super global. So, if you want them reset, they can be reset by:

while (frankenphp_handle_request(get_rq_handler())) {
	foreach($GLOBALS as $key => $value) {
		unset($GLOBALS[$key]);
	}
}

This doesn't reset static variables, constants, or anything else that was set by the first request to run on the worker. I have a feeling this could lead to some severe security/privacy issues if the developer isn't careful and/or aware of this (libraries included).

But, after some thought, I think this is the correct behavior. It could be interesting if we were to have a couple of functions (frankenphp_snapshot_engine() and frankenphp_restore_engine_snapshot()?) that would allow resetting the entire state to a known state after a request.

withinboredom avatar Nov 12 '22 10:11 withinboredom

IMHO we should not change the current behavior but document it well. Basically, all request-related superglobals (the ones starting by $_) are reset, but not other global states including $GLOBALS.

Indeed this can be a security issue for applications not taking care to remove sensitive data after having handled the request (as in other programming languages that aren't "share nothing" as standard PHP), but it's expected.

By the way, why do you think that it's related to https://github.com/dunglas/frankenphp/issues/85? Symfony should take care of resetting the sensitive services when booting.

dunglas avatar Nov 14 '22 15:11 dunglas