Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59494
Return-Path: <tom@punkave.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66782 invoked from network); 9 Apr 2012 10:46:54 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Apr 2012 10:46:54 -0000
Authentication-Results: pb1.pair.com smtp.mail=tom@punkave.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tom@punkave.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain punkave.com designates 209.85.216.170 as permitted sender)
X-PHP-List-Original-Sender: tom@punkave.com
X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com  
Received: from [209.85.216.170] ([209.85.216.170:57651] helo=mail-qc0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E4/02-56433-C1EB28F4 for <internals@lists.php.net>; Mon, 09 Apr 2012 06:46:52 -0400
Received: by qcmt36 with SMTP id t36so2532634qcm.29
        for <internals@lists.php.net>; Mon, 09 Apr 2012 03:46:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=references:in-reply-to:mime-version:content-transfer-encoding
         :content-type:message-id:cc:x-mailer:from:subject:date:to
         :x-gm-message-state;
        bh=VfDNaTvkqF3Gk5kL6BD4hNaEIilCIL5BvnZ/fEA1A5o=;
        b=PDRWWuIyPNiBw1D4ZNitLAlANX5xBv70NuSpTgzyaVCl9zuwxkAbBbUqDOMUOa266e
         E5doXChhTI99YnYAmlZgkR4p4LXcsMChxBDPj5lRHS5bi4V+deFntBaRyvD8yn+LCUt/
         i7cKYhzMhlcFqHl+xzY6JYybRh6QhHYCO8xb52DT2zxE5mjUlW4Ni73l/RRRe3R+uFvm
         FhwoVQkdLFRmNyvQSw9y+Ob6q6uYJ6eS68gXhzRFNAQx2Uk8uGiB9GyHf42mDgHnwEBj
         Dh1OJ8xuZ6nYOpgmNpYPVGPgvOaw7l6xmrOnS+2OaN7hh5gf0DTxdIoPcCOhmH2wH+JZ
         K66A==
Received: by 10.224.105.79 with SMTP id s15mr8522788qao.35.1333968410230;
        Mon, 09 Apr 2012 03:46:50 -0700 (PDT)
Received: from [192.168.100.101] (c-68-81-107-211.hsd1.pa.comcast.net. [68.81.107.211])
        by mx.google.com with ESMTPS id gy2sm24447822qab.10.2012.04.09.03.46.49
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 09 Apr 2012 03:46:49 -0700 (PDT)
References: <CAORXhGLk8=bJ2TEo0OCzQCacjtGG=ZWYNuXf8Uu8oMNEm2WQ1A@mail.gmail.com> <CAGa2bXYP0kNA5PyvmdjoHZO91t8AojG9FjUe4nbCHhGjn2=MPg@mail.gmail.com> <CAH-PCH5UroCct9T6yuXuKNwTPstx8kAvdEbozMsWiEezjwO1JA@mail.gmail.com>
In-Reply-To: <CAH-PCH5UroCct9T6yuXuKNwTPstx8kAvdEbozMsWiEezjwO1JA@mail.gmail.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative;
	boundary=Apple-Mail-4E50C445-2749-4246-8ECB-DF57D6E875B7
Message-ID: <9F1068CD-5D48-4587-8310-41C3C4CFECAC@punkave.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 PHP Internals <internals@lists.php.net>
X-Mailer: iPhone Mail (9B176)
Date: Mon, 9 Apr 2012 06:46:47 -0400
To: Ferenc Kovacs <tyra3l@gmail.com>
X-Gm-Message-State: ALoCoQkmMWZZqWNI3jM0Lzv5g8kmhdBCmlb8yUA3cSn308OpOorC2Q5KFrg/dl5o7v/RCfoz0Hdx
Subject: Re: [PHP-DEV] PHP class files without <?php at the top
From: tom@punkave.com (Tom Boutell)

--Apple-Mail-4E50C445-2749-4246-8ECB-DF57D6E875B7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I agree, there should be no limiting of unrelated language features to half-=
protect people who can't plan where uploads go.

Sent from my iPhone

On Apr 9, 2012, at 6:11 AM, Ferenc Kovacs <tyra3l@gmail.com> wrote:

>=20
> On Sat, Apr 7, 2012 at 10:48 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> Hi,
>=20
> The only valid reason for removing <?php from PHP script would be
> security.
>=20
>=20
> I disagree here.
> What you are talking about here is
> https://www.owasp.org/index.php/Unrestricted_File_Upload
> So a malicious user can upload a file containing php code and fire a reque=
st which will execute it.
> Executing it can happen directly (you request the uploaded file via http),=
 or indirectly (you can trick some other script to include it aka LFI which i=
s a vulnerability in itself)
> For preventing the uploaded files from be executed directly, one should pu=
t the uploaded files to a separate directory and disable the php execution f=
or that directory via the web server config (php_flag engine 0)
>=20
> I don't see how would the removal of the open tags prevent the malicious u=
ser from sending valid php code without opening tag.
> I know that in your example you mentioned valid image files containing php=
 code with opening tag (in the image meta information), but that assumes tha=
t the code properly checks that the uploaded file is a valid image (or any o=
ther file format which can be injected with arbitrary php code). If that che=
ck doesn't happen or not entirely safe, one could inject php code even if we=
 remove the opening tags.
> So imo the correct defense against these kind of attacks is:
> - properly handle the file upload paths, so the users can only upload file=
s to the given directory.
> - turn off the php engine for that directory
> - properly handle your file inclusions so you don't have LFI/RFI vulnerabi=
lities.
>=20
> --=20
> Ferenc Kov=C3=A1cs
> @Tyr43l - http://tyrael.hu

--Apple-Mail-4E50C445-2749-4246-8ECB-DF57D6E875B7--