Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103196
Return-Path: <arnold.adaniels.nl@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 2186 invoked from network); 20 Sep 2018 14:33:53 -0000
Received: from unknown (HELO mail-pl1-f181.google.com) (209.85.214.181)
  by pb1.pair.com with SMTP; 20 Sep 2018 14:33:53 -0000
Received: by mail-pl1-f181.google.com with SMTP id s17-v6so4147031plp.7
        for <internals@lists.php.net>; Thu, 20 Sep 2018 03:40:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=EjhLu+iEhq/cYIYJ3W6cZmABPDYrQ7CzqDgWJtvu3QI=;
        b=IVOr8flA6loN8s/RWQldRlfvYSLGF+raPxXbRRp2jc64GoVGroQhlb6CZ1pw8jr4YN
         3nJifIEiIo3iwVMrVKVfQTRTN2Vbsf5qBKEqzTomlkgIPd83gR6kI+NjUe+Pny4g1mKK
         fD+8XvWQM2h5jo18hWVsuXm2B4MmfX8ApjTGkLkGhFE4jJD+mEvFC6xMwzfkIOf8BRoS
         Ja9fZzZpgTb5C8Firv6ODocyEg+NyQNeDZU9UtPr9nO0SLmDet7xRnOpelLzq7LkoG5r
         0duCaN5Z29WRzuG0fVH5HBKPoaUdGF8x7yepqIjwlC3AivHL2KXDhavBS0gtc6UV0QaU
         z1wQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=EjhLu+iEhq/cYIYJ3W6cZmABPDYrQ7CzqDgWJtvu3QI=;
        b=Nfw3iMwGislbGw6LzC+18RmECluEaNu54aLUfmiGXlZ+ktnChxaHC5u/4EPm7aojS+
         qacmm8yzAByytIKzUPxt3ApiNC+Ppn70KuzqrN64m/C9/l/UIXPKlCtl3qtqutUmMqnH
         lW/upymAGsGCN7f6Wif6VM3BSRq45rHtkzhfz2aDdF1EgWf+POZMB/JN2DLOjzw1lLBF
         uxqFOiOmunX/uHZJEUYgkao8Yk6DZdBNq309CKm18e6KMXsblR9Zg2SbSaB8qyo1nUtV
         a6jlAdkBhXU2l+b7Wajg7VjqtJjQfFauUXTPdSSFU099NBfqlFL5V/0eGETseNQySvek
         urLQ==
X-Gm-Message-State: APzg51DuxyZf6JoqFkNeiqhaXhgRzNouHnhvF/NVKoF2qY+mkkTBdjOb
	1Z9L0fLcO3WdTb54wGQsv2YZrWrIbj1HAzNO2ZOusQ==
X-Google-Smtp-Source: ANB0VdZDvNwEx939nrgymlBip9xcd/9oAGRDZsX74Wz82Y7otyCDhyrx3+dPTP5DxOSS5NBAZz/t76FPUWvhUKXinM0=
X-Received: by 2002:a17:902:f213:: with SMTP id gn19mr38864519plb.266.1537440028157;
 Thu, 20 Sep 2018 03:40:28 -0700 (PDT)
MIME-Version: 1.0
Date: Thu, 20 Sep 2018 12:37:37 +0200
Message-ID: <CANZOY=C6Zmh4QdxQvyzkErqPrJ0R-Xwq8ye9MYQmE085=n71cQ@mail.gmail.com>
To: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000bde9c605764b26c3"
Subject: Add FILTER_VALIDATE_INCLUDE validation filter for variable includes
From: arnold.adaniels.nl@gmail.com (Arnold Daniels)

--000000000000bde9c605764b26c3
Content-Type: text/plain; charset="UTF-8"

There are many security issues that arise from not sanitizing a variable
before using it in an include (eg `include $script;`).

The filter extension is intended to prevent this kind of security issues. A
validation filter would make it easier and could be the defacto standard
when using variable includes.

When a static code analyzer is used, it can check if the filter has been
used and the variable is safe to be used in include.

The options could be "base_path, allowed_streams".

The base_path option defines the path where the file should be in. Dots
like `..` are resolved. Home paths, like `~/foo` and `~arnold/` are not
allowed (or resolved). Symlinks are not considered.

The `allowed_streams` option would set which streams are allowed. By
default none. I feel this is a better option than relying on
'allow_url_include' or RFC: Precise URL include control (
https://wiki.php.net/rfc/allow_url_include).

    include filter_var($script, FILTER_VALIDATE_INCLUDE, ["base_path" =>
"path/to/project/", "allowed_streams" => ["phar", "zip"]]);

What do you think?

Also, does this require an RFC or should I just create a PR?

- Arnold

--000000000000bde9c605764b26c3--