Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59605
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83965 invoked from network); 10 Apr 2012 03:02:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Apr 2012 03:02:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 67.192.241.133 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 67.192.241.133 smtp133.dfw.emailsrvr.com Linux 2.6
Received: from [67.192.241.133] ([67.192.241.133:35866] helo=smtp133.dfw.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 58/00-34074-EC2A38F4 for <internals@lists.php.net>; Mon, 09 Apr 2012 23:02:39 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp13.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 8D0D33D072A;
	Mon,  9 Apr 2012 23:02:36 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp13.relay.dfw1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 232583D06F4;
	Mon,  9 Apr 2012 23:02:36 -0400 (EDT)
Message-ID: <4F83A2CB.2060702@sugarcrm.com>
Date: Mon, 09 Apr 2012 20:02:35 -0700
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120313 Thunderbird/11.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <CAORXhGJwmbjw3Zze3+-oFA2Mb_Z-2owVESraNMMs57RzjRRMbA@mail.gmail.com> <-5877502932356715576@unknownmsgid> <CAORXhGLPdAie6UFq+daJhUmDUqp7RaFFLa596XdzdtuCddf0Jw@mail.gmail.com> <-3647345967307864634@unknownmsgid> <CAORXhGKjg_L11dFGNHNfNygDH018=ZhytAy1vH+Ei8QHfry=cA@mail.gmail.com> <CAORXhG+K3XML-47+FDYdL5D717wDX7c59Pz8KgqjcP16+Ad12w@mail.gmail.com> <4F831FAE.2030208@ralphschindler.com> <4775322189440202047@unknownmsgid> <CAORXhGJSG6CJD5EAt_uZ7RjfjM345nfrVQz8t2ep4e3WhCeKMQ@mail.gmail.com> <4F833682.2000301@ralphschindler.com> <CAGa2bXYjJsfo6os_P1OvQ7jfmxeYUkZ+QK5r94nwNUsba-iWLA@mail.gmail.com> <4F833AB0.2060306@sugarcrm.com> <CAGa2bXZQN9brCwHOOkDU+x3hf5dZgqqmv1ZSTJ3VMjSpdda6tA@mail.gmail.com> <4F8348AB.1040305@sugarcrm.com> <CAGa2bXYLTe=ctyFO9AccHOWtmbHHLvLFGRVYWuc6an+Tsy7MeA@mail.gmail.com>
In-Reply-To: <CAGa2bXYLTe=ctyFO9AccHOWtmbHHLvLFGRVYWuc6an+Tsy7MeA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] RFC: source files without opening tag
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> It's a design vulnerability. It is not has to be attack-able security hole
> without broken code. There are many security issues and countermeasure
> like this. e.g. register globals in PHP, stack smashing attack in C, etc.

It's not stack smashing. It's like saying because you can call external
code from C it's a C vulnerability. It's not - if you make your program
to execute external code, it will.

> Some people are trying to introduce TAG less execution. Wise choice for
> TAG less execution would be removing famous LFI vulnerability from PHP.

It's not a vulnerability in PHP. It's a vulnerability in your code. And
I don't see how anything changes with whatever "tagless execution" is -
if you allow foreign code to be executed within context of your
application, it can do anything your code does. So unless you ban
include completely, it will be able to do includes.

-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227