Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59707 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 69605 invoked from network); 11 Apr 2012 05:22:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Apr 2012 05:22:25 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com Received: from [209.85.161.170] ([209.85.161.170:63890] helo=mail-gx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BB/70-18401-015158F4 for ; Wed, 11 Apr 2012 01:22:24 -0400 Received: by ggmb2 with SMTP id b2so326109ggm.29 for ; Tue, 10 Apr 2012 22:22:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=hpCRzZveUewpooBxSGm3MCMIG6FumJ0WMKD+Y8NTp3U=; b=0etx9jtov15YT1wshDA7n9f4yK6yrz9emWlO6rYJ7q4aeVvvjRzEHy6ZDDT8EGCpCY O3Wp6W/ZlSzEA5ryvfe3/oQzL4SO2/LCPk1HX6RMV8KGrokWFyWVneiYmfyTP9kawnPa ayfReH3IMRyCcqckJBbFvAo7y6fFdZwgablt5igqKQDVSgJqHMVIESKXc2y6/yvTysg3 IMGFcMepvwZQtDqchjuEDQ2NeuP7hxeDz3oRss/yDEGPqAV4sRTTx/faKvBfAva+7hgV E3LfuTzlTjsGNCVTrj0TU1yP9SBcxUWj8aEkGhr+5kRjYS4BQkr+UI4EEQ7mQ12ARha0 Xt4A== Received: by 10.100.200.4 with SMTP id x4mr3642513anf.6.1334121741689; Tue, 10 Apr 2012 22:22:21 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.146.86.14 with HTTP; Tue, 10 Apr 2012 22:21:41 -0700 (PDT) In-Reply-To: <4F850D06.10701@sugarcrm.com> References: <4F850D06.10701@sugarcrm.com> Date: Wed, 11 Apr 2012 14:21:41 +0900 X-Google-Sender-Auth: HUsdXesInBhcKDOafI6i0XX6EVE Message-ID: To: Stas Malyshev Cc: John Crenshaw , "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi, 2012/4/11 Stas Malyshev : > Hi! > >> https://wiki.php.net/rfc/nophptags?&#why_this_is_better_than_now > > I'm sorry, but I do not understand how your proposal prevents LFI. Let's > say you had this file kill.php: > > and you were afraid that somebody would write the code "include > $_GET['foo'];" and pass kill.php as foo and kill your server. Now, you > propose banning > kill_kill_kill(); We don't kill(), but validate with template_mode=off. It's impossible injecting kill() into everywhere, but we can validate file headers. > > and you still can include it with "include $_GET['foo'];" and get the > same result. Where's the difference? With template_mode=on, PHP behaves exactly the same as it is now. The easiest way to prevent unwanted script execution is injecting kill() at the beginning of file. For files not under control, LFI just disclose it :( With template_mode=off, all we have to do is making sure files have valid (Non PHP code) header. Kill() injections are not required. For files not under control, LFI results in syntax error almost always :) Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net