Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103210
Return-Path: <narf@devilix.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90636 invoked from network); 20 Sep 2018 22:43:54 -0000
Received: from unknown (HELO mail-wm1-f68.google.com) (209.85.128.68)
  by pb1.pair.com with SMTP; 20 Sep 2018 22:43:54 -0000
Received: by mail-wm1-f68.google.com with SMTP id f21-v6so554949wmc.5
        for <internals@lists.php.net>; Thu, 20 Sep 2018 11:50:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=+hIU00Nju5YKHmkpq9Vuv+i2Wo00idafM2+AJwDkftM=;
        b=kkAFdUgWRWnd0YX4zhSl+tAY4Y6RL9AahVT2rPh0eZolULUwsS3u/O0UKj23U/NU/J
         IeFCQey9fzBvux8QhMoP/vhGNZJkYVdJn6yDTgV3PqOecjw5OO5pubf5JM+/PTlVXbGN
         3MZ/wDou4CvglkPGYGWRYcp3gWvOnbKiBGiik=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=+hIU00Nju5YKHmkpq9Vuv+i2Wo00idafM2+AJwDkftM=;
        b=p6ibWOa3LeMkLVTMOxbbul0lseUsVt60PLFagCcvR+CjhngbPkB1tHeKdfWYLyI7kg
         q0FYcUyANqC3xi2gB3v4ZIJZ6xhXRPIvk35mxeW66y6lrzAJBcKFavnx1pk97PlHoUx6
         k61l5MVEzB5w4Kq1lYKtvjbGqT0xDAs8Ng2etS63ESYqDxTI2pof9qErLJTe4MIM92Xa
         DWLknoAW7UssW8EBxn1Uz67MZNXsN0eSdHOBaqzlP8gcu6gub1krMAKEdCl0JYM8UZ/j
         fYUFCayCkRrruxZNTE3hSg57M673uOWtrbqZFyZ9nCzXlweBaMw+3fV8liAfKxcSclvs
         MVDQ==
X-Gm-Message-State: APzg51CIMipqKrwmcuFpBeHNkrPOj3oz50nWgk71LBGFl60TEvyQ5/XH
	SwR3CoSfl3yDq01zaUcfpqXhgNHo3njf3R02jhjBQUt0
X-Google-Smtp-Source: ANB0VdYPi3E4hGX9vHxcuJUmzh7XK8957tma0L77maidLz6mhfwG4x2JDlbkxT8OUKeq/zYlAf9SDBwtyEcn8EHIejI=
X-Received: by 2002:a1c:d702:: with SMTP id o2-v6mr4089528wmg.115.1537469434482;
 Thu, 20 Sep 2018 11:50:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:ade4:0:0:0:0:0 with HTTP; Thu, 20 Sep 2018 11:50:33
 -0700 (PDT)
In-Reply-To: <CANZOY=B-2igFBVCYGDrZT2a11B0xMXRNeWPXh6jxT_EZ_O2LUQ@mail.gmail.com>
References: <CANZOY=C6Zmh4QdxQvyzkErqPrJ0R-Xwq8ye9MYQmE085=n71cQ@mail.gmail.com>
 <CAPhkiZyvaEg19WS5wXTU=1MwaKHu1=w0qYPfpV1Ex9nv_9LEpA@mail.gmail.com> <CANZOY=B-2igFBVCYGDrZT2a11B0xMXRNeWPXh6jxT_EZ_O2LUQ@mail.gmail.com>
Date: Thu, 20 Sep 2018 21:50:33 +0300
Message-ID: <CAPhkiZwDYEjG9wz0exMQcv3dAXApHEa6BJ-AULqq_kYt=ur-VQ@mail.gmail.com>
To: Arnold Daniels <arnold@jasny.net>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] Add FILTER_VALIDATE_INCLUDE validation filter for
 variable includes
From: narf@devilix.net (Andrey Andreev)

Hi again,


On Thu, Sep 20, 2018 at 5:29 PM, Arnold Daniels <arnold@jasny.net> wrote:
>
> Variable includes have proper purposes, like for a (PSR-4) autoloader. This
> can't be simply replaced with an 'if' statement. Other reasons are module
> inclusion and generated code.
>

Of course, there are a few valid applications even for the most
discouraged practices - in that you are correct. But you should know I
meant *user input* variable inclusion in particular.
Either way, I don't see how a *user input filter* validator would help
PSR-4, generated code and/or whatever you meant by module inclusion.

Just to be clear, in everything I'm saying, I assume you want to solve
the following problem:

    include $_GET['page'].".php"; // <-- vulnerability

(simplified, of course)

> Variable inclusion is already done very often. I don't think this filter
> will persuade people to do it that would otherwise not. This is a common
> security issue. So if variable inclusion isn't disabled in full, having a
> common way to prevent such issues seem like a good idea to me.
>

Well, I've got two things to say about this:

1. The developers who intruduce such vulnerabilities are the ones who
don't do validation in the first place, so the way I see it, the few
poor souls who might benefit from your proposal wouldn't care for it
anyway.
2. Reiterating from my previous reply, this would only serve as an
excuse for some to say that user input variable inclusion is an OK
thing to do, because "see, PHP has a tool specifically for it, so it
must be good".

>> Sanitization is more often than not imperfect and there's always the
>> potential to bypass it.
>
> This would be a validation filter and not a sanization filter. Can you give
> an example on how you could bypass it?
>

Sorry, you started the discussion by mentioning sanitization and I
just went with it without noticing the details.

Still, even as a validator this can be bypassed depending on the
application architecture - sure, you specify a base path, but who is
to say I'm not trying to RCE via something within that base path?

Cheers,
Andrey.