Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27443 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 2535 invoked by uid 1010); 14 Jan 2007 20:53:09 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 2520 invoked from network); 14 Jan 2007 20:53:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Jan 2007 20:53:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=cellog@php.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=cellog@php.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain php.net from 66.79.163.178 cause and error) X-PHP-List-Original-Sender: cellog@php.net X-Host-Fingerprint: 66.79.163.178 bluga.net Linux 2.5 (sometimes 2.4) (4) Received: from [66.79.163.178] ([66.79.163.178:38985] helo=mail.bluga.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BA/0D-12132-2389AA54 for ; Sun, 14 Jan 2007 15:53:06 -0500 Received: from mail.bluga.net (mail.bluga.net [127.0.0.1]) by mail.bluga.net (Postfix) with ESMTP id 0F6FE87DF3; Sun, 14 Jan 2007 12:50:04 -0800 (PST) Received: from [192.168.0.2] (user-0cdf20n.cable.mindspring.com [24.215.136.23]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.bluga.net (Postfix) with ESMTP id F0BC487D35; Sun, 14 Jan 2007 12:50:02 -0800 (PST) Message-ID: <45AA961D.4090401@php.net> Date: Sun, 14 Jan 2007 14:44:13 -0600 User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Stanislav Malyshev CC: Stefan Esser , Marcus Boerger , "internals@lists.php.net" References: <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com> <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de> <45AA116F.7020109@hardened-php.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: [PHP-DEV] Comments on PHP security From: cellog@php.net (Greg Beaver) Stanislav Malyshev wrote: > SE>>And If I am not completely mistaken here unlike php://filter a > SE>>userstream will not give the THIS_IS_AN_INCLUDE_FLAG down to a stream > SE>>itself opens. > > I think I see what you mean now - i.e. that the user implementation might > be tricked into opening URL for include even though direct opening URL for > include is not allowed, and since it would do e.g. fopen, it may work > around the allow_url_include. > > I would say in most cases prohibiting anything but plain file wrapper for > include might be OK, however I know about a number of instances of > legitimate wrappers used for include - e.g. archive files like phar and > there are other, custom solutions that I saw that use wrappers as base. > Maybe it would be a good idea also to pass a flag to stream_open saying it > is used for include - though it won't fix broken code of course. Hi, There is just such a flag passed to wrapper_open (at least inside pecl streams, I imagine you're talking about user streams) but that most likely would not be secure at all, as it puts the onus on the streams implementor, which is the problem right now. This is why I suggested disabling all remote access while calling a stream's open and read for include purposes, it centralizes the security access inside the zend engine where it is possible to audit and easier to control. In my opinion, it would be a pity to lose the design benefits of stream wrappers in the effort to gain more security when security can be gained without losing the benefits. I think it would be good to allow disabling all urls as Stefan suggested, but if there is a way to restrict to truly local stream wrappers, I would need to be educated as to how this is less secure than outright disabling urls. Greg