Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59491 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61459 invoked from network); 9 Apr 2012 10:11:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Apr 2012 10:11:08 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.45 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.210.45 mail-pz0-f45.google.com Received: from [209.85.210.45] ([209.85.210.45:36197] helo=mail-pz0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 23/E0-56433-AB5B28F4 for ; Mon, 09 Apr 2012 06:11:06 -0400 Received: by dacx6 with SMTP id x6so5231067dac.18 for ; Mon, 09 Apr 2012 03:11:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2Jy6eO7gW9/QAVPfbG/89TXHbP6YPNyP7YNWzlLKr6E=; b=V7npXOEDY1YmjEGqjKqL2Q6V/oV7KyO4arSn0nV1WiEl5JP7Fk52RES/F9AIyKTPzQ b74vcK4lry3cjQDAgOPk4dMHeX07DW3+WgHHqALmH3dtm3BMtPsBKH5BR9onnqNP+2Be OqnktUIAfUErps4BlEUOOI32RgJgIVM/JARMGrhYTEf7Za0ur8xiT6+jhZvDYcpl9uui fy6pBICXR/6piojnWaj/670q7RieAVkURTE2/RCIQ9p/kNeFBpjA9c4Mpw5VnJ11RIEf elXCvZ8eVuCMy0fyaGw2k5J8j4iIgJCtZWQwUL6L1C4IpfGYVzKPjIH8N2/QwUdSUKR5 oOhw== MIME-Version: 1.0 Received: by 10.68.193.138 with SMTP id ho10mr18192765pbc.80.1333966263512; Mon, 09 Apr 2012 03:11:03 -0700 (PDT) Received: by 10.68.213.7 with HTTP; Mon, 9 Apr 2012 03:11:03 -0700 (PDT) In-Reply-To: References: Date: Mon, 9 Apr 2012 12:11:03 +0200 Message-ID: To: Yasuo Ohgaki Cc: Tom Boutell , PHP Internals Content-Type: multipart/alternative; boundary=047d7b15af43476f6d04bd3c398d Subject: Re: [PHP-DEV] PHP class files without wrote: > Hi, > > The only valid reason for removing security. > > I disagree here. What you are talking about here is https://www.owasp.org/index.php/Unrestricted_File_Upload So a malicious user can upload a file containing php code and fire a request which will execute it. Executing it can happen directly (you request the uploaded file via http), or indirectly (you can trick some other script to include it aka LFI which is a vulnerability in itself) For preventing the uploaded files from be executed directly, one should put the uploaded files to a separate directory and disable the php execution for that directory via the web server config (php_flag engine 0) I don't see how would the removal of the open tags prevent the malicious user from sending valid php code without opening tag. I know that in your example you mentioned valid image files containing php code with opening tag (in the image meta information), but that assumes that the code properly checks that the uploaded file is a valid image (or any other file format which can be injected with arbitrary php code). If that check doesn't happen or not entirely safe, one could inject php code even if we remove the opening tags. So imo the correct defense against these kind of attacks is: - properly handle the file upload paths, so the users can only upload files to the given directory. - turn off the php engine for that directory - properly handle your file inclusions so you don't have LFI/RFI vulnerabilities. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --047d7b15af43476f6d04bd3c398d--