Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59665 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 51048 invoked from network); 10 Apr 2012 18:18:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 Apr 2012 18:18:17 -0000 Authentication-Results: pb1.pair.com smtp.mail=johncrenshaw@priacta.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=johncrenshaw@priacta.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain priacta.com designates 64.95.72.241 as permitted sender) X-PHP-List-Original-Sender: johncrenshaw@priacta.com X-Host-Fingerprint: 64.95.72.241 mxout.myoutlookonline.com Received: from [64.95.72.241] ([64.95.72.241:17685] helo=mxout.myoutlookonline.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 88/42-38506-669748F4 for ; Tue, 10 Apr 2012 14:18:16 -0400 Received: from mxout.myoutlookonline.com (localhost [127.0.0.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id 9C7B38BF74D; Tue, 10 Apr 2012 14:18:12 -0400 (EDT) X-Virus-Scanned: by SpamTitan at mail.lan Received: from HUB028.mail.lan (unknown [10.110.2.1]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mxout.myoutlookonline.com (Postfix) with ESMTPS id 41C978BEE20; Tue, 10 Apr 2012 14:14:13 -0400 (EDT) Received: from MAILR001.mail.lan ([10.110.18.28]) by HUB028.mail.lan ([10.110.17.28]) with mapi; Tue, 10 Apr 2012 14:14:09 -0400 To: Yasuo Ohgaki , "internals@lists.php.net" Date: Tue, 10 Apr 2012 14:13:59 -0400 Thread-Topic: [PHP-DEV] Disabling PHP tags by php.ini and CLI options Thread-Index: Ac0W8A1ZtzcdNRefRDale9UqNnvxfQAOS+SA Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: RE: [PHP-DEV] Disabling PHP tags by php.ini and CLI options From: johncrenshaw@priacta.com (John Crenshaw) From: yohgaki@gmail.com [mailto:yohgaki@gmail.com] On Behalf Of Yasuo Ohgak= i >=20 > Hi all, >=20 > This is the RFC as in the title. > Although it's not a direct security measure, but it's related to critical= security problem prevention. >=20 > If you are not familiar to how to execute arbitrary PHP code, steal data = from RDBMS via SQL injection and LFI, it may be interesting. >=20 > This RFC will not break any existing code. Programmers may keep full back= ward compatibility while getting better security. >=20 > https://wiki.php.net/rfc/nophptags The proposed change will NOT make it safe to write require $_GET['name']; Nothing can ever make that code safe. Even with remote inclusion turned off= , even with php tags disabled. That code is fundamentally broken. It uses a= n uncontrolled input to execute arbitrary code and is only slightly more di= fficult to exploit than eval($_GET[foo']). In most systems you can upload *= anything* with a .jpg extension and the app will take it, so you can still = include the file, and the contents can drop straight into script, no tag ne= eded. If the temporary upload directory is accessible to the PHP process at= all you can also include the file, regardless of extension or content. Alternately, in the unlikely case that file contents of uploads are validat= ed, or the exploit file is otherwise not fully under control, you could use= a noop slide of sorts (multiline comment, string, or docblock) to "slide" = past any obligatory starting boilerplate or incontrollable garbage in a fil= e to quickly reach the code point. Honestly it would be far harder to craft= an attack file if you *REQUIRED* the file to start with