Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59451 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19502 invoked from network); 8 Apr 2012 05:17:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Apr 2012 05:17:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.213.170 mail-yx0-f170.google.com Received: from [209.85.213.170] ([209.85.213.170:44339] helo=mail-yx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E2/53-29109-47F118F4 for ; Sun, 08 Apr 2012 01:17:41 -0400 Received: by yenl5 with SMTP id l5so1809325yen.29 for ; Sat, 07 Apr 2012 22:17:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=nMgXQrrimWoYV+A2f/+pUxXjGpP2UQJf6RP3UPVpPTY=; b=iH/TnF4wYByXcYxljVEdM5d5M06fWwkf1+38c2VKogyb54cBeWnasY9NgkCFHGSOqz FxUVbQ+bDGUrpchVVuKXjWLjvR407rMWkTK7kEwFn7AngtipH7FjsaA2CnX7Kl8yJNbG y92I/oGpENEIUlGV6KeFGe+4p6f5YwopLrCkiqWgz7nwpkuMxXjmBMIKEcYT9wiMRXDX /232N+uxKV8tjux5axd5zYs+33vwxHmvJFRdfO4dC2AiAgAfqC9tiFF9cBjwev5G91DI zcxrMCND0BQeUtUuHFDasnnvWTqpFA3hiohFS7nFRF0SYjCfmB4Dr/siPQh/PuVk+4pB 7BdA== Received: by 10.236.72.133 with SMTP id t5mr2411041yhd.94.1333862258189; Sat, 07 Apr 2012 22:17:38 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.146.86.14 with HTTP; Sat, 7 Apr 2012 22:16:58 -0700 (PDT) In-Reply-To: <4F80C739.2060404@gmail.com> References: <4F80C739.2060404@gmail.com> Date: Sun, 8 Apr 2012 14:16:58 +0900 X-Google-Sender-Auth: TzlZM1r7P1p0hg5T1p7kB3WQPgs Message-ID: To: =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= Cc: PHP Developers Mailing List Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] PHP class files without : > On 07/04/12 22:48, Yasuo Ohgaki wrote: >> Hi, >> >> The only valid reason for removing > security. >> >> Since the null byte detection for fopen, remote/local script inclusion >> became much harder than before. However, it's still possible and very >> easy compare to other languages. Script execution is critical security >> problem and it's worth to make it better. >> >> If there is a switch that turns off PHP's template engine nature, PHP >> could be more secure than now. >> >> php.ini >> template_mode =3D on =A0 ; INI_ALL On by default >> >> php -t foo.php =A0 # template mode by default >> php -T foo.php =A0# template mode off >> >> People has option to make their code a little secure than now >> or stick with current behavior. >> >> Regards, > How does it help security? > If any, requiring ' out malicious files on apps with uploads in case there's a local > inclusion vulnerability somewhere. > Attackers may inject PHP script almost anything/anywhere since PHP code may be embed anywhere in a file. For example, malicious PHP script may be in GIF something like gif89a ...any data.. and all attacker have to do is include/require the data somehow. Attacker cannot do that this for other languages, since they are not a embedded language. I know case that attackers may inject malicious perl/ruby script in data files, but PHP is too easy compare to these languages. Regards, -- Yasuo Ohgaki