Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:3666
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84944 invoked from network); 31 Jul 2003 16:23:02 -0000
Received: from unknown (HELO www.lerdorf.com) (66.93.78.119)
  by pb1.pair.com with SMTP; 31 Jul 2003 16:23:02 -0000
Received: from rasmus2.corp.yahoo.com (rasmus2.corp.yahoo.com [207.126.232.175])
	by www.lerdorf.com (8.12.9/8.12.9/Debian-5) with ESMTP id h6VGMSDE017146;
	Thu, 31 Jul 2003 09:22:28 -0700
Date: Thu, 31 Jul 2003 09:22:23 -0700 (PDT)
To: skate <root@fatcuban.com>
cc: internals@lists.php.net
In-Reply-To: <005201c35777$6812e7a0$1400000a@fatcuban>
Message-ID: <Pine.LNX.4.56.0307310917180.22177@thinkpad.lerdorf.com>
References: <059101bffadb$28a33670$1400000a@fatcuban> <Pine.WNT.4.56.0307310738380.2248@DELL>
 <005201c35777$6812e7a0$1400000a@fatcuban>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] upload compromises
From: rasmus@lerdorf.com (Rasmus Lerdorf)

On Thu, 31 Jul 2003, skate wrote:
> > There is a directive to turn off uploads altogether.  I don't see us going
> > beyond that.  How are we supposed to detect executables?  An executable is
> > extremely platform-dependant.  I suppose we could suck all the code from
> > the UNIX 'file' command into PHP and try to determine a filetype from the
> > magic byytes, but to what end?  What exactly are you trying to protect
> > against here?
>
> well, i was more thinking of, by default, only allowing say images,
> documents and compressed files.

What is a document?  Like I said, if the server is configured to parse PHP
tags out of .html files, which is rather common, then even uploading a
.html file is unsafe.  A straight .txt file could potentially be unsafe
while an executable is completely safe because there is unlikely to be a
server configuration that would enable this executable to actually be
executed.

Are you worried about client-side security when you talk about blocking
executables from being uploaded?  As in uploading an executable that is
then later downloaded by someone else and run?  Because surely, uploading
an executable is unlikely to be a problem on the server.

We could put in a mime-type filter, but that would act on the
client-provided mime-type which is rather unreliable.  Perhaps couple that
with mime-magic checking and I guess it could be useful as an optional ini
directive.

-Rasmus