Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59701
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 47603 invoked from network); 11 Apr 2012 02:52:34 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Apr 2012 02:52:34 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com  
Received: from [209.85.161.170] ([209.85.161.170:62985] helo=mail-gx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DC/BC-18401-1F1F48F4 for <internals@lists.php.net>; Tue, 10 Apr 2012 22:52:34 -0400
Received: by ggmb2 with SMTP id b2so304280ggm.29
        for <internals@lists.php.net>; Tue, 10 Apr 2012 19:52:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=XXmI0WeHDyl3wq9Ti5V2+Q1iBdyiDjrR6O0HnA1ej3w=;
        b=WyR3/rINpWQfJ6KGW/JeiSqBPIgvJZmpLKTVNTkRLIEDAo/d1UwH1W5ZfN6VoTVJl/
         MlJkZEy3nQoId3n8hQFzQ5mmp9FSLHM2MJEMAm7ZJMCU/P+C969/W55IfoY6aaGL3PIJ
         EC6m2/XBCcR9wwrnYs4rOGlO60bciFsx5LjiYy9XZktsRqK+a8ACNAcjt3HtcaE3wFs1
         7CVLAeyTu3IqOn01immeJyYPYQ/0OQAVGkm6grSTaZkA3vCjaXtxmiT/9hVI2BocjcWA
         n7hNzr1yybD3AJ9Yj0esLXgWcDRt2IAcUYVM8m3R3+618QqSNmOhBevvz4Cm91yewncw
         xQBQ==
Received: by 10.101.152.40 with SMTP id e40mr3652713ano.42.1334112750732; Tue,
 10 Apr 2012 19:52:30 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.146.86.14 with HTTP; Tue, 10 Apr 2012 19:51:50 -0700 (PDT)
In-Reply-To: <A633CF2D7C7BED41B41F1E64F25507B806A5CDD6C2@MAILR001.mail.lan>
References: <CAGa2bXZ6G=Cphjrde3u1Mq3AAw-4yJk3s28vNe+Aybt2nGTumg@mail.gmail.com>
 <CAGa2bXZh4uMeUH_BSCFmfNgxS-SZC0svA9BPcSROjwmbfrtFyQ@mail.gmail.com>
 <CAGa2bXbhi4zdgd9Udo6KsoycDwg_Ke0Xe5h3_-fVDMvn_VfAjQ@mail.gmail.com> <A633CF2D7C7BED41B41F1E64F25507B806A5CDD6C2@MAILR001.mail.lan>
Date: Wed, 11 Apr 2012 11:51:50 +0900
X-Google-Sender-Auth: GoPNYH9uKqqsBb88xZ3aAR_T1Bs
Message-ID: <CAGa2bXZKfQ+HqOucwOnBH7gV84hpdxZb5qNY3t3ThF_zMKSGHw@mail.gmail.com>
To: John Crenshaw <johncrenshaw@priacta.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi,

I've reorganized benefits in the RFC and would like to share

https://wiki.php.net/rfc/nophptags?&#why_this_is_better_than_now


2012/4/11 John Crenshaw <johncrenshaw@priacta.com>:
> From: yohgaki@gmail.com [mailto:yohgaki@gmail.com] On Behalf Of Yasuo Ohgaki
>>
>> Hi,
>>
>> It seems motivation of this RFC is better to be stated.
>> Motivation to have this RFC is
>>
>> 1. "File Includes" is fatal security breach.
>> 2. The reason why PHP is unsecure to "File Include" than other language is "Mandatory embed mode"
>> 3. Non mandatory embed mode gives option users to better security.
>>
>> With this RFC, PHP could be as safe as other scripting languages with respect to file includes. This RFC is fully compatible with current code. Writing backward compatible code is as few as 3 lines.
>
> No, I understood the reasons, but I reject the assumption that you are making. The "embed mode" doesn't have a measurable impact on the security of this system. The vulnerable code can be exploited in countless ways with or without embed mode.

You are making bad assumption.
If we follow your assumption, we should not  implement any mitigation like
null byte protection nor open_basedir.

Bottom line is LFI is real thread and critical. This RFC provides feasible way
to remove the main cause. (i.e. Mandatory embedded mode)

>
>> Most of security measures are not perfect solutions, but mitigation, just like canary and DEP. I suppose people who are concerned with security understand the value of these protections.
>
> Look, I'm the first to stand up for improved security, but that's now what we have here. Just calling this a security improvement doesn't make it true.

Please read reorganized section and other description in the RFC.

>
>> Is there any good reasons not to have non mandatory embed mode as a additional security measure? Why not to make it harder for attackers to exploit?
>
> Yes. This fundamentally breaks the language. PHP was first and foremost a template language. In fact, the strong template integration is a huge part of why one would build a web site in PHP, not C++.

You misunderstood the RFC. It does *NOT* break anything. It's the best
of both embedded and non-embedded language.

>> In short, I'm really annoyed to hear "PHP is insecure than Ruby/Perl/Python/etc"
>
> Anyone who says this is wrong. Ruby is in fact far less secure, because it doesn't even have cursory escaping functions and a variety of unpredictable behaviors (implicit returns) can lead to wild results.

Yes, I know where Ruby/Perl/Python can be insecure than PHP.
I don't audit Python/Perl much but I do PHP/Ruby (and others)

If LFI vulnerability was uncommon, I would not insist this RFC strongly.
Mandatory embedded scripting far more insecure than non embedded or
optionally embedded languages.

I think you misunderstood the RFC, so I reorganized a little.
Please read and comment, if any.

https://wiki.php.net/rfc/nophptags

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net