Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27491
Return-Path: <info@adaniels.nl>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11808 invoked by uid 1010); 16 Jan 2007 23:45:47 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 11787 invoked from network); 16 Jan 2007 23:45:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Jan 2007 23:45:46 -0000
Authentication-Results: pb1.pair.com smtp.mail=info@adaniels.nl; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=info@adaniels.nl; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain adaniels.nl from 82.94.236.173 cause and error)
X-PHP-List-Original-Sender: info@adaniels.nl
X-Host-Fingerprint: 82.94.236.173 loco.helderhosting.nl Linux 2.5 (sometimes 2.4) (4)
Received: from [82.94.236.173] ([82.94.236.173:58141] helo=loco.helderhosting.nl)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 78/B0-05231-6A36DA54 for <internals@lists.php.net>; Tue, 16 Jan 2007 18:45:44 -0500
Received: from [192.168.1.167] (a80-126-54-132.adsl.xs4all.nl [80.126.54.132])
	by loco (Postfix) with ESMTP id 8B33B51C873;
	Wed, 17 Jan 2007 00:45:38 +0100 (CET)
Message-ID: <45AD63A1.2040206@adaniels.nl>
Date: Wed, 17 Jan 2007 00:45:37 +0100
User-Agent: Thunderbird 1.5.0.9 (X11/20070103)
MIME-Version: 1.0
To: Greg Beaver <cellog@php.net>
Cc: Stanislav Malyshev <stas@zend.com>,
	Stefan Esser <sesser@hardened-php.net>,
	Marcus Boerger <helly@php.net>,
	"internals@lists.php.net" <internals@lists.php.net>
References: <F1076B95-2D05-4690-AE84-21FC0552F17A@ch2o.info> <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com> <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de> <Pine.LNX.4.64.0701141301180.32133@mail.zend.com> <45AA116F.7020109@hardened-php.net> <Pine.LNX.4.64.0701141436460.16363@mail.zend.com> <45AA961D.4090401@php.net>
In-Reply-To: <45AA961D.4090401@php.net>
X-Enigmail-Version: 0.94.0.0
Content-Type: multipart/alternative;
 boundary="------------080208030102040104060606"
Subject: Re: [PHP-DEV] Comments on PHP security
From: info@adaniels.nl (Arnold Daniels)

--------------080208030102040104060606
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi,

First of all I admit I'm no PHP security expert or PHP internals expert
or anything, so please don't flame me if I say something stupid.

Wouldn't simply adding a flag to allow url's (which includes all '*://'
streams), in functions that opens streams be enough? For example:
fopen($file, 'r') and fopen($url, 'ru') and fopen('php://output', 'ru').
To my opinion, using '*://' streams is an advanced feature. Developers
who are using that, should be able to make sure no urls are opened.
Again, just an idea.

Last, I'm a software developer at a shared hosting company. To my
opinion, making sure that users don't touch other people's files, does
not belong in the PHP layer. With other apache modules you can do nasty
thing as well. We (not me) have written a kernel patch to allow
switching of the current processes (much like sudo) and a matching
apache module. Since the privileges only allow the user or group to
access the file, linux does the rest. An other solution is to start PHP
as cgi under the correct user, but other things will never be really save.

Best regards,
Arnold



Greg Beaver wrote:
> Stanislav Malyshev wrote:
>   
>> SE>>And If I am not completely mistaken here unlike php://filter a
>> SE>>userstream will not give the THIS_IS_AN_INCLUDE_FLAG down to a stream
>> SE>>itself opens.
>>
>> I think I see what you mean now - i.e. that the user implementation might 
>> be tricked into opening URL for include even though direct opening URL for 
>> include is not allowed, and since it would do e.g. fopen, it may work 
>> around the allow_url_include.
>>
>> I would say in most cases prohibiting anything but plain file wrapper for 
>> include might be OK, however I know about a number of instances of 
>> legitimate wrappers used for include - e.g. archive files like phar and 
>> there are other, custom solutions that I saw that use wrappers as base. 
>> Maybe it would be a good idea also to pass a flag to stream_open saying it 
>> is used for include - though it won't fix broken code of course.
>>     
>
> Hi,
>
> There is just such a flag passed to wrapper_open (at least inside pecl
> streams, I imagine you're talking about user streams) but that most
> likely would not be secure at all, as it puts the onus on the streams
> implementor, which is the problem right now.  This is why I suggested
> disabling all remote access while calling a stream's open and read for
> include purposes, it centralizes the security access inside the zend
> engine where it is possible to audit and easier to control.
>
> In my opinion, it would be a pity to lose the design benefits of stream
> wrappers in the effort to gain more security when security can be gained
> without losing the benefits.  I think it would be good to allow
> disabling all urls as Stefan suggested, but if there is a way to
> restrict to truly local stream wrappers, I would need to be educated as
> to how this is less secure than outright disabling urls.
>
> Greg
>
>   

--------------080208030102040104060606--