Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103199 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 10579 invoked from network); 20 Sep 2018 15:04:47 -0000 Received: from unknown (HELO mail-wr1-f67.google.com) (209.85.221.67) by pb1.pair.com with SMTP; 20 Sep 2018 15:04:47 -0000 Received: by mail-wr1-f67.google.com with SMTP id v17-v6so8952246wrr.9 for ; Thu, 20 Sep 2018 04:11:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ocCcCd20pAdPtXewlsaCD1zb5igid+Y1eQbWIIYlyi4=; b=ujN7ckMcxlNzG0tmwwJxaJdUgjuk8Cxu16a0SkFsRh6Apafx53AxtjIiciPhU9Vun7 C5uU4nD0ywaUGBN+jP8gov+8Rb/UAOq3H8InfqDvpfJyXtng1Ry8VOh1sCyPyQqNmRoz o/TjDK6NZMXtMcFysLTJhkY7tbN85bByphHQI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ocCcCd20pAdPtXewlsaCD1zb5igid+Y1eQbWIIYlyi4=; b=kPgR+4Uk2ljZ3dB97NEq36AURtV4pR7hBFDhmYhx2wdGItkqZIOksEV3tK2tdcakpG iWmbTCeO5Km9agN2S/PFzw/R1v55bTu+w3QVI3OwOMxGJNwb9wKzY1ExNr+FhTSMXK7o 5TY0jqRdFsERzwytnqxBqN8VWhzW+uFQLPN8cCmrUjWajtG/dKH+qpsjBM2PqEe7PhT1 FdpJk7o4M+DCSna+zHi+K6M0tDjwLM/0tIcbswOc7/OPQY403VqIRx98D46zfjlkxobr 1IKOn6uDNSC0GF7BRYsWzvCg/StUDRMxVRtvGx5NQktO21BwpZlrW8t3Hs0oAJm2tFIx ei1g== X-Gm-Message-State: APzg51AxRhNT7etC7ThwJ1e/MkOYT7zZ/Yi1X/kdnHGT+5cPddo6DgJ5 n4nJ+OWxp06iNAg9oNB7d8TRVkAFTGN4+GHdoi1wBw== X-Google-Smtp-Source: ANB0VdbzN0INURa9IH4VXIKWJm8A91SiaewLXowiBfleYb+cHvD+ONMlt7porP/K8nPw6P76kNwct3iJRy82xtqhQ8M= X-Received: by 2002:adf:8024:: with SMTP id 33-v6mr32082836wrk.16.1537441883368; Thu, 20 Sep 2018 04:11:23 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:adf:ade4:0:0:0:0:0 with HTTP; Thu, 20 Sep 2018 04:11:23 -0700 (PDT) In-Reply-To: References: Date: Thu, 20 Sep 2018 14:11:23 +0300 Message-ID: To: Arnold Daniels Cc: PHP Internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] Add FILTER_VALIDATE_INCLUDE validation filter for variable includes From: narf@devilix.net (Andrey Andreev) Hi, On Thu, Sep 20, 2018 at 1:37 PM, Arnold Daniels wrote: > There are many security issues that arise from not sanitizing a variable > before using it in an include (eg `include $script;`). > > The filter extension is intended to prevent this kind of security issues. A > validation filter would make it easier and could be the defacto standard > when using variable includes. > > When a static code analyzer is used, it can check if the filter has been > used and the variable is safe to be used in include. > > The options could be "base_path, allowed_streams". > > The base_path option defines the path where the file should be in. Dots > like `..` are resolved. Home paths, like `~/foo` and `~arnold/` are not > allowed (or resolved). Symlinks are not considered. > > The `allowed_streams` option would set which streams are allowed. By > default none. I feel this is a better option than relying on > 'allow_url_include' or RFC: Precise URL include control ( > https://wiki.php.net/rfc/allow_url_include). > > include filter_var($script, FILTER_VALIDATE_INCLUDE, ["base_path" => > "path/to/project/", "allowed_streams" => ["phar", "zip"]]); > > What do you think? > > Also, does this require an RFC or should I just create a PR? > Those security issues arise from using user inputs as includes at all, not just from lack of sanitization. Sanitization is more often than not imperfect and there's always the potential to bypass it. The only acceptable way of doing something similar to variable includes is the following: if ($input === 'foo') { require 'path/to/foo.php'; } ... which is not in fact a variable include. Adding the filter that you're proposing would imply that doing input variable includes is ok, and I am very strongly against this. Cheers, Andrey.