Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59530
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 56502 invoked from network); 9 Apr 2012 19:02:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Apr 2012 19:02:18 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.213.170 mail-yx0-f170.google.com  
Received: from [209.85.213.170] ([209.85.213.170:64842] helo=mail-yx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E4/C4-34074-832338F4 for <internals@lists.php.net>; Mon, 09 Apr 2012 15:02:17 -0400
Received: by yenl5 with SMTP id l5so2291006yen.29
        for <internals@lists.php.net>; Mon, 09 Apr 2012 12:02:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type
         :content-transfer-encoding;
        bh=CnN5tcHZg6seDCMHdxqy3KhtaikyLqtMAcDtV52hWVQ=;
        b=ckeMTv1o9Kub4rs2Koldf/Zh0fBcni225Sldi6qC+64ue1J7xOExUVTqB/eAaOVd/W
         jQUzw69QG11APDENeJCfyQ3YDkiqY63qkeEd42xCZSsYpwAXW/IVuRDDuPElyAaUxNZC
         sc9hRDKU8F6mw523Bcho/8Alz3D7ZffvT7mDdwajl6WVe9a5PmhKIFRTj/n/lNqtWCLF
         SqwjHphcmAYJEeLeXsfdKYBiDqzWwXX5PEoXbh3hTvWZAHoE80P/Sg2MI4zXOoUcp9YX
         QcZB793t/HTYY9/BlBy3v4d1oAr0WN3AvZrUf0ZwsbzNIPwdJuDbecgJg8c7h9McoUJJ
         jn+w==
Received: by 10.236.72.133 with SMTP id t5mr6865031yhd.94.1333998133282; Mon,
 09 Apr 2012 12:02:13 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.146.86.14 with HTTP; Mon, 9 Apr 2012 12:01:30 -0700 (PDT)
In-Reply-To: <9F1068CD-5D48-4587-8310-41C3C4CFECAC@punkave.com>
References: <CAORXhGLk8=bJ2TEo0OCzQCacjtGG=ZWYNuXf8Uu8oMNEm2WQ1A@mail.gmail.com>
 <CAGa2bXYP0kNA5PyvmdjoHZO91t8AojG9FjUe4nbCHhGjn2=MPg@mail.gmail.com>
 <CAH-PCH5UroCct9T6yuXuKNwTPstx8kAvdEbozMsWiEezjwO1JA@mail.gmail.com> <9F1068CD-5D48-4587-8310-41C3C4CFECAC@punkave.com>
Date: Tue, 10 Apr 2012 04:01:30 +0900
X-Google-Sender-Auth: IqzFEiSS-pECKYQ8190fcKvrd78
Message-ID: <CAGa2bXZFx=JW6eNLPdG+yQ0U1QGppbRzJ3wnpYZA4aAoXSGVjQ@mail.gmail.com>
To: Tom Boutell <tom@punkave.com>
Cc: Ferenc Kovacs <tyra3l@gmail.com>, PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] PHP class files without <?php at the top
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi,

2012/4/9 Tom Boutell <tom@punkave.com>:
> I agree, there should be no limiting of unrelated language features to
> half-protect people who can't plan where uploads go.


You misunderstood the problem.

File upload does not matter.
Mandatory embed feature makes PHP vulnerable.
See my script injection example in RFC.

https://wiki.php.net/rfc/nophptags

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net


>
> Sent from my iPhone
>
> On Apr 9, 2012, at 6:11 AM, Ferenc Kovacs <tyra3l@gmail.com> wrote:
>
>
> On Sat, Apr 7, 2012 at 10:48 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>>
>> Hi,
>>
>> The only valid reason for removing <?php from PHP script would be
>> security.
>>
>
> I disagree here.
> What you are talking about here is
> https://www.owasp.org/index.php/Unrestricted_File_Upload
> So a=A0malicious=A0user can upload a file containing php code and fire a =
request
> which will execute it.
> Executing it can happen directly (you request the uploaded file via http)=
,
> or indirectly (you can trick some other script to include it aka LFI whic=
h
> is a vulnerability in itself)
> For preventing the uploaded files from be executed directly, one should p=
ut
> the uploaded files to a separate directory and disable the php execution =
for
> that directory via the web server config (php_flag engine 0)
>
> I=A0don't see how would the removal of the open tags prevent
> the=A0malicious=A0user from sending valid php code without opening tag.
> I know that in your example you mentioned valid image files containing ph=
p
> code with opening tag (in the image meta information), but that assumes t=
hat
> the code properly checks that the uploaded file is a valid image (or any
> other file format which can be injected with arbitrary php code). If that
> check doesn't happen or not entirely safe, one could inject php code even=
 if
> we remove the opening tags.
> So imo the correct defense against these kind of attacks is:
> - properly handle the file upload paths, so the users can only upload fil=
es
> to the given directory.
> - turn off the php engine for that directory
> - properly handle your file inclusions so you don't have LFI/RFI
> vulnerabilities.
>
> --
> Ferenc Kov=E1cs
> @Tyr43l - http://tyrael.hu