
Remote Code Execution on packagist.org - justicz
https://justi.cz/security/2018/08/28/packagist-org-rce.html
======
kpcyrd
I would like to emphasize that php is notorious for these sorts of issues
because every single function to execute an external program is based on

    
    
        ["/bin/sh", "-c", $cmd]
    

If we would just stop telling developers that the interface to start a process
is "a string that is then processed by bash" we wouldn't have these issues
anymore.

Every other programming language starts processes using a path and a list of
arguments, even bash itself, in its own awkward way.

It feels like the php security community is too centered around sanitizing
inputs instead of adding secure interfaces that only require logical
validation instead of checking-for-evil-bytes-and-defusing-them.

