Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:131035 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 500E41A00BC for ; Thu, 28 May 2026 09:33:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1779960804; bh=+FTYFuPBrkAMc3ajyLtaHu+o48SQ/4mxzW8f/eXbOiE=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=WbcY9BoRdwlP5DnC+WBqH/TSF8OWKmLNjJfNFvU3ojGFWm/yX7w5IlwdtX/mHZtyD jOLaoRMtGFo6+f/57/OljYMX2YETejr/X7hSpc2rky2Np2Ifu4dv+g4PbrNULhooqF z1L2UKds2Vl70YyIhzUMSX4hqL5PzzfkgrLpgNahgFaRHZwLIJE92xQitUsw2YvsON DW/kUqZ8s+WZ90rMY8jYy6nqtygzVxBwQtEwhLPN274YV7va/gGLgQHgywfY39eybO 2u8QAZJaSBJOH5aU2ZQ8AadDtQxIUGAnlikUwOXDf7o+uX2BnQlxJFDNkgcgOkMyox yQhjpCF7lToKQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 262D41804D4 for ; Thu, 28 May 2026 09:33:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.9 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLY, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 28 May 2026 09:33:23 +0000 (UTC) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-48e6db3ff7eso64906355e9.0 for ; Thu, 28 May 2026 02:33:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779960797; x=1780565597; darn=lists.php.net; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=fzydc7slkbgNG8zrgt3EgUzw7H0A0mlFvI+veLt9tQI=; b=Hn/uwEU+TRzHFTsnczTFVcgfr8StBAslfWjwd3jpcQrbWKHHiVJ5qzmfag7RfcSh9d HQqGEbxCj/NGWFZKDvvloa5YfXy5Immy9l9ysfZJDMh+uVsCHGNMZzpEwPf4xpaDCOas 7NkTu7T/M14/ui43zVuIGu+3MAH3D3L6Gp63CNBHYmGr6pthsK5eU0bQ0vm3D2FQjQOT 8d0dpBR8qOeFgltn6rDEXxKbgkhlEJ58iY1ZcucCeKpvcU3BFq7NPodxatxaPx56+AuK gC6uyX4zBXH92Po21zmUpeKS5auaoDYlSeDUcjO7Vn3Dm+Bcw3bX5FqCyUDRFr+1wUZr M79g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779960797; x=1780565597; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=fzydc7slkbgNG8zrgt3EgUzw7H0A0mlFvI+veLt9tQI=; b=VBAgyW3vWw3tv5TogiAK+e4dVkC4M1t2OwgfK/IuKZLHttZ9DojkrB9Bb3E63/Ax18 RySb2kCKedzKVPxFFCjgt0oRUn9aF75kTDVucQl20HCSw9qrRU1O6DyYQCZhqLTxjAyh Ft6PjpxC6lIXkWu3detr4lfMhNXms+jYIkMoVRuV9N3F5EbdDOEuCOAxWZruTqiAnRc3 m0DG5hQ4xro5UrmGz7ipK2/D8Ui14hsr6acluqV6Zwx1SnxwDkBJ3t1pPeN6muiwWng6 5G6JcPvcmgsD922SE6z1tAPW6Cqi1LQL8KcdWuxrxAOH+NSoWUs1H9xh75lgMMyIh87/ kqhQ== X-Gm-Message-State: AOJu0YxghA1LmpI468v70B55IBcjLrH1UUFYZa6axg1pzgvLRUEp5xo2 gmb/1nC4elyrazkLDvlELpLrwB7jGFpjx0vYtZgVDPzGfwyF0GK/RCJxuQHkbMYq X-Gm-Gg: Acq92OFBrRxjG40w6HKi+ePvH1I6kroNn86QGA/OPFgMh6rgUSCshYoA3pdeHf2TqOq GsgUIE/GHn5ahc6CaVveIsmOD65pSn75ue6USaNhDnmzK0tfikNiNz0DlEHkiOM7jSAIeu20yyW 37RWHiviVGiuQOikCVIKzOcDQpRhrxOod1SwT4YHmtEbaFg2LiYZE+FMn5m1zvHgKa68RWTqpgA zCJWU2CzNKnJU20FrBL2hyweabEwTNBBWpcemH337lVCkXRu16vSYO2xZ5eKYg8kQ0f59BAjVch JsBT5Z3kZ2qK12iV9oYcYqGSvGuiTApGnD4dqPGRy0CXBEG3+Td/Tadw0I5rB/UciojA0PZ3iNe kT1MkYaX8VIcy+UIccq+5vIgRAeRqfcFioJ2dEfLNF9dgVj+5kvndvvWaQpU5Wg587naC/i8AW3 7HFtoB5eGmEcINxjw6z8+4as6DPhil0zaMadLk6xb+b7t0VQxkXjX2RWa+Iwcc1464ihV8tNUsF E9VsnYU4BXOXQ== X-Received: by 2002:a05:600c:468f:b0:490:47e0:e131 with SMTP id 5b1f17b1804b1-49047e0e229mr446194535e9.16.1779960797292; Thu, 28 May 2026 02:33:17 -0700 (PDT) Received: from smtpclient.apple (p508ccfb8.dip0.t-ipconnect.de. [80.140.207.184]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-49091d57c0dsm48029815e9.0.2026.05.28.02.33.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 28 May 2026 02:33:16 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.600.51.1.1\)) Subject: Re: [PHP-DEV] [Pre-RFC] Pure-code source files via .phpc extension In-Reply-To: Date: Thu, 28 May 2026 11:33:05 +0200 Cc: php internals Content-Transfer-Encoding: quoted-printable Message-ID: <942370FC-4278-42B1-9A64-76CF428D7B7C@gmail.com> References: <9E95EA03-B86A-D248-A980-B1E838F94C13@hxcore.ol> <20260527131921.086BB1A00BD@lists.php.net> <8AE9A269-2E40-42F0-A0F8-C6690B2935FE@gmail.com> <20260528023149.C97961A00BD@lists.php.net> <76D39851-7DAC-4F56-9615-B98B0A918770@gmail.com> <20260528043224.2CDD51A00BD@lists.php.net> <690e2bc4-d6c9-488b-bbd7-0010437f6c15@gmail.com> <878E83EF-DBA2-429A-A17B-55238600E834@gmail.com> To: go.al.ni@gmail.com X-Mailer: Apple Mail (2.3864.600.51.1.1) From: hmennen90@gmail.com (Hendrik Mennen) > Am 28.05.2026 um 11:10 schrieb go.al.ni@gmail.com: >=20 > I see a security concern in introducing a new file extension. >=20 > It's common to configure a web server to pass locations that end with = .php to a PHP interpreter. >=20 > Nginx example: >=20 > ``` > location ~ \.php$ { > include snippets/fastcgi-php.conf; > fastcgi_pass unix:/run/php/php8.2-fpm.sock; > } > ``` >=20 > Apache2 example: >=20 > ``` > > SetHandler application/x-httpd-php > > ``` >=20 > With a new file extension, users would be forced to change their = configs, or a direct request to .phpX file would expose its source code. >=20 > This will come as a surprise to users who don't know about the pure = syntax yet include libraries that use it. Hi, This is a legitimate concern and one the RFC must address head-on rather = than wave away. Let me engage with it directly. > With a new file extension, users would be forced to change their > configs, or a direct request to .phpX file would expose its source > code. This will come as a surprise to users who don't know about the > pure syntax yet include libraries that use it. The risk is real, and it is structurally identical to the problem that = .inc files have caused for decades and that .module files caused in = older Drupal setups. The path of attack is: a Composer library uses = pure-code files, the consumer's web server has no handler for the new = extension, an attacker requests the file by direct URL, and the server = returns the source verbatim. Database credentials, API keys, business = logic all exposed. So I think the RFC has to do at least four things to take this = seriously: 1. Mandatory Security section. A dedicated section in the RFC describing = the exposure risk, the affected configurations, and the mitigations. Not = buried, not phrased as "users should configure properly," but as a = first-class concern. 2. Canonical web server configurations as part of the RFC. Apache = (FilesMatch with SetHandler, plus a defensive deny rule for any other = extension fallthrough), Nginx (location block extending the pattern to = cover the new extension), Caddy, and FrankenPHP snippets. These would = also go into php.net documentation on acceptance. 3. Composer ecosystem coordination. Before submitting the formal RFC, I = plan to talk to the Composer maintainers about both autoload support and = about whether the conventional vendor/ layout should be documented as = the canonical mitigation (vendor outside web root, or vendor denied at = the web server level). This is already a best practice for other = sensitive files, but it should be promoted to documented requirement = when pure-code libraries become possible. 4. Consideration of a transitional default. One option worth weighing: = ship the pure-code extension support disabled by default at the SAPI = level for the first PHP release that introduces it, requiring = administrators to opt in via configuration. This trades some adoption = friction for stronger safety during the transition period. I am not yet = decided on this and would value the list's input. What I do not think works as a mitigation: - Engine-side refusal to serve pure-code files as text. By the time the = web server is returning the file as static content, PHP is not in the = request path at all. There is nothing the engine can do. - Renaming the extension to something less guessable. The same = path-traversal class of attack would still find it once libraries adopt = a convention. - Relying on users to figure it out. That is exactly the assumption that = has made .inc and .module a recurring incident class. The one structural argument in favor of the proposal here is that the = population at risk is bounded by adoption: users who do not opt in to = pure-code files do not have any new exposure, and users who do opt in = are by definition aware of the new file type and can be expected (with = proper documentation) to update their server config. But that argument = only holds if the documentation is unmissable, which is exactly why the = Security section has to be primary. Thanks for surfacing this, it is going straight into the draft. Hendrik Mennen Maintainer, PHPolygon=