Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59456 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52105 invoked from network); 8 Apr 2012 12:32:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Apr 2012 12:32:03 -0000 Authentication-Results: pb1.pair.com smtp.mail=tom@punkave.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tom@punkave.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain punkave.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: tom@punkave.com X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:56011] helo=mail-qc0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C4/18-29109-245818F4 for ; Sun, 08 Apr 2012 08:32:03 -0400 Received: by qcmt36 with SMTP id t36so2224493qcm.29 for ; Sun, 08 Apr 2012 05:31:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to :x-gm-message-state; bh=5a8ENO1RI8N1lU0PIetGdQx1OZF6V14uuliS5MfrGPs=; b=QOiFwRYOnz4b1K7iTkMytscKePIIJDVzJb38Q6Sq7xDMOc+EIuzzw0an1AD/o6pY47 PspvxTct6mBY+VXs52c7zxWVdUN570vOVMHX6tGa/Jks0hdYxEsl8EFkfESlosR/noiA 0NiMLjgkWZraGRCFKxZsezxmmI8mMgtNJVjxI2Wjau+nberWtW4BunZWYDImze2mdVTh 0Yph/Bc11E0L6chw5850LAjreHp9wnWBW8F7rc+FiwwpBhM4oICzJc4qxdKSEg9z7Ivo j/YQqMrOBh1VKecStUVc/PBdHR2Oax/RRuwiWS7Cw91w+/t+8wI9m7BimNaJhOBtSt8U 8s9w== Received: by 10.224.213.196 with SMTP id gx4mr5034879qab.95.1333888319427; Sun, 08 Apr 2012 05:31:59 -0700 (PDT) Received: from [192.168.100.101] (c-68-81-107-211.hsd1.pa.comcast.net. [68.81.107.211]) by mx.google.com with ESMTPS id hm8sm19101463qab.0.2012.04.08.05.31.57 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 08 Apr 2012 05:31:58 -0700 (PDT) References: <4F80C739.2060404@gmail.com> <4F817DE1.3020608@gmail.com> In-Reply-To: <4F817DE1.3020608@gmail.com> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Message-ID: <2AD65A37-E1D3-4663-B580-D18C78118387@punkave.com> Cc: Yasuo Ohgaki , PHP Developers Mailing List X-Mailer: iPhone Mail (9B176) Date: Sun, 8 Apr 2012 08:31:54 -0400 To: =?utf-8?Q?=C3=81ngel_Gonz=C3=A1lez?= X-Gm-Message-State: ALoCoQngrMU0nnGyfnz/H9iC4pC54jaFUTVjz7MyD98x3K9Elikwl9CtBPqCXsrTVOKegk7xIQ/n Subject: Re: [PHP-DEV] PHP class files without wro= te: > 2012/4/8, Yasuo Ohgaki: >> 2012/4/8 =C3=81ngel Gonz=C3=A1lez : >>> How does it help security? >>> If any, requiring '>> out malicious files on apps with uploads in case there's a local >>> inclusion vulnerability somewhere. >>>=20 >> Attackers may inject PHP script almost anything/anywhere since >> PHP code may be embed anywhere in a file. >>=20 >> For example, malicious PHP script may be in GIF something like >>=20 >> gif89a ...any data.. >>=20 >> and all attacker have to do is include/require the data somehow. >> Attacker cannot do that this for other languages, since they are >> not a embedded language. I know case that attackers may inject >> malicious perl/ruby script in data files, but PHP is too easy >> compare to these languages. >>=20 >> Regards, >>=20 >> -- >> Yasuo Ohgaki > Yes, but if I properly check that there's no ' (as you should verify everything you allow users to upload), it can't be > exploited. > OTOH if the vulnerable include is not an include but an include_code, > they could > use a file which was >> exec("rm -rf"); // Example of what not to do > And was happily uploaded as "plain text". >=20 >=20 >=20 >=20 > --=20 > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >=20