Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27428 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 54589 invoked by uid 1010); 13 Jan 2007 17:15:06 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 54573 invoked from network); 13 Jan 2007 17:15:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Jan 2007 17:15:06 -0000 Authentication-Results: pb1.pair.com header.from=helly@php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=helly@php.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain php.net from 81.169.182.136 cause and error) X-PHP-List-Original-Sender: helly@php.net X-Host-Fingerprint: 81.169.182.136 ajaxatwork.net Linux 2.4/2.6 Received: from [81.169.182.136] ([81.169.182.136:44155] helo=strato.aixcept.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BD/90-47651-57319A54 for ; Sat, 13 Jan 2007 12:14:51 -0500 Received: from baumbart.mbo (dslb-084-063-060-082.pools.arcor-ip.net [84.63.60.82]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by strato.aixcept.de (Postfix) with ESMTP id C5D0035C201; Sat, 13 Jan 2007 18:13:30 +0100 (CET) Date: Sat, 13 Jan 2007 18:13:30 +0100 Reply-To: Marcus Boerger X-Priority: 3 (Normal) Message-ID: <526994769.20070113181330@marcus-boerger.de> To: Stefan Esser Cc: Rasmus Lerdorf , "internals@lists.php.net" In-Reply-To: <45A91002.8020607@hardened-php.net> References: <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com> <45A91002.8020607@hardened-php.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Comments on PHP security From: helly@php.net (Marcus Boerger) Hello Stefan, i also think something should be done here. The is_url flag does not really help. What we imho need is an ini setting that allows specifying which stream handlers to allow. And that should not include user streams. best regards marcus Saturday, January 13, 2007, 5:59:45 PM, you wrote: >> I am not sure I would call it a blacklist. It is a flag in the streams >> layer that marks stream handlers that could possibly make a network >> connection as such and there are only a finite set of stream handlers. >> > Unfortunately there is not a finite set of stream handlers. First of all > there are userstreams. An application could register a dangerous > userstream (that is of course not marked as URL) which is then abused by > an include. > Then there are PECL extensions that register streams. > Just pick a random one: Let's take ext/ssh2. This is not just any pecl > extension, but one from a PHP core developer. > SSH is obviously a network protocol. The PHP documentation even states > that SSH streams are forbidden during allow_url_fopen. > However from looking at the code I assume this documentation is wrong, > because I see all is_url flags being set to 0. > Voila, just install pecl/ssh and you are still vulnerable to remote file > includes. > That is the problem with opt-in/aka blacklist methods. > Stefan Best regards, Marcus