Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59732
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43626 invoked from network); 11 Apr 2012 14:08:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Apr 2012 14:08:42 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.216.47 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.216.47 mail-qa0-f47.google.com  
Received: from [209.85.216.47] ([209.85.216.47:55643] helo=mail-qa0-f47.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8D/A0-36454-960958F4 for <internals@lists.php.net>; Wed, 11 Apr 2012 10:08:42 -0400
Received: by qabg1 with SMTP id g1so3715658qab.13
        for <internals@lists.php.net>; Wed, 11 Apr 2012 07:08:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:x-enigmail-version:content-type
         :content-transfer-encoding:x-gm-message-state;
        bh=hufPm4wuYVWUGe0QHwn3xkl7l43mf9Gj4q4Xux1FH4Q=;
        b=APa/tgTHjQhk2NMlNFirNEhsowH5r1iepVRrNVznUobIrgVEyT3pL+a3MP3Y3rqpsZ
         oZWZW3faMgGSo8kHCXfrKJfafAgvRj97MFauo/JZoGPJmxaJTrC/wDXAVZg82QU6ljzW
         TF7bTjoPgmcwVb9oy/4sUH4Ag/F5QOTJYoRiBBIw5fh20cjXD9T0ZuD5WPY5YcgSYa59
         l4KXxC7fKpRmBE+365DL2pyC4f422B2Lne1eC/z887MVW026bAoI3Jmma7CezDfw8ECQ
         LbmmqvM/nEgGknz8zBaxFOUR/eW2zeBzF/RuCDvRFzUCrgeQK3rFakyafX1Mv2XqfryT
         idSQ==
Received: by 10.229.135.146 with SMTP id n18mr6201360qct.44.1334153319065;
        Wed, 11 Apr 2012 07:08:39 -0700 (PDT)
Received: from [192.168.201.2] (200.sub-166-250-78.myvzw.com. [166.250.78.200])
        by mx.google.com with ESMTPS id bm15sm5839513qab.17.2012.04.11.07.08.37
        (version=SSLv3 cipher=OTHER);
        Wed, 11 Apr 2012 07:08:38 -0700 (PDT)
Message-ID: <4F859063.1010401@lerdorf.com>
Date: Wed, 11 Apr 2012 07:08:35 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120329 Thunderbird/11.0.1
MIME-Version: 1.0
To: Stas Malyshev <smalyshev@sugarcrm.com>
CC: Yasuo Ohgaki <yohgaki@ohgaki.net>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXZ6G=Cphjrde3u1Mq3AAw-4yJk3s28vNe+Aybt2nGTumg@mail.gmail.com> <CAGa2bXZh4uMeUH_BSCFmfNgxS-SZC0svA9BPcSROjwmbfrtFyQ@mail.gmail.com> <CAGa2bXbhi4zdgd9Udo6KsoycDwg_Ke0Xe5h3_-fVDMvn_VfAjQ@mail.gmail.com> <A633CF2D7C7BED41B41F1E64F25507B806A5CDD6C2@MAILR001.mail.lan> <CAGa2bXZKfQ+HqOucwOnBH7gV84hpdxZb5qNY3t3ThF_zMKSGHw@mail.gmail.com> <4F850D06.10701@sugarcrm.com> <CAGa2bXZWrRh8RdMtKK_2_U_XmByC-O6hGRPrJyW5KwvE0CAK-w@mail.gmail.com> <4F8515AF.8060706@sugarcrm.com> <CAGa2bXZWudQeRm5h2eENGmgQDPfOqEmijB9-vPAvfKXLCfDiLw@mail.gmail.com> <4F851FE4.7000706@sugarcrm.com> <CAGa2bXbXdNcfHX_dM2EVVz_2JtS4cc+8pxneSLAd382TuQUg-w@mail.gmail.com> <4F8539E0.1090701@sugarcrm.com>
In-Reply-To: <4F8539E0.1090701@sugarcrm.com>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQn9DaT17qEdCfhYKFklKp6tDYKqOgKuH1PYAkkH0SvJTsQXkpgBh2WuijQ/GmOvNV9LiSIl
Subject: Re: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options
From: rasmus@lerdorf.com (Rasmus Lerdorf)

On 04/11/2012 12:59 AM, Stas Malyshev wrote:
>> Therefore, it should not be misunderstood as perfect LFI
>> countermeasure even if I stressed on security meanings.
>> I'm stressing security because this actually helps PHP being
>> much safer than now.
> 
> I don't see how it is "much safer". Exactly the same problem exists. Not
> only it is not "perfect" countermeasure, it's not countermeasure at all,
> judging from your description. It's like saying "I have SQL injection
> protection, but only if word "please" is not part of the SQL injection".
> It's not a real protection then.

I guess he is saying that it prevents:

   Random bytes
   <?php kill();?>
   More random bytes

Where random bytes might be an image file so finfo_file() might identify
it as a valid image whereas it doesn't prevent:

  <?php kill();?>
  Random bytes

from being mistakenly included. And I guess a secondary thing it might
prevent is an include of something like /etc/passwd since there is no
valid PHP code there and it would error out.

So, those are the pros. The cons are:

1. Creating a new mode for PHP that essentially breaks most existing PHP
code if this mode is enabled puts more pressure on people trying to
write portable code. It would encourage them to never use templating
mode since non-templating mode is the only safe approach that would work
regardless of the configuration. Much the same way that all portable
code uses <?php and no <?

2. Templating is a defining characteristic of PHP. For many people it is
the primary reason they even use PHP. Adding a feature that would
essentially discourage use of a defining feature of PHP is illogical.

3. For the /etc/passwd case, the syntax error might reveal enough data
about the contents of the file that this doesn't actually provide enough
of a benefit unless we also heavily redact what we show in a syntax
error. Of course, the argument here is not to show the error to users,
but people who write code with include $_GET['filename'] aren't likely
to follow best practices in the first place.

4. Only protecting against mid-script injections and not top-of-script
injections is a somewhat subtle concept when the real problem is the
vulnerable include $_GET['filename'] hole. If this really is a prevalent
problem, maybe instead of trying to mitigate the symptoms, why don't we
try to attack the actual cause of the problem. I would love to hear some
ideas along those lines that don't fundamentally change the nature of
PHP for somewhat cloudy benefits.

-Rasmus