Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59733 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52449 invoked from network); 11 Apr 2012 15:12:43 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Apr 2012 15:12:43 -0000 Authentication-Results: pb1.pair.com smtp.mail=luke@cywh.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=luke@cywh.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain cywh.com from 209.85.220.170 cause and error) X-PHP-List-Original-Sender: luke@cywh.com X-Host-Fingerprint: 209.85.220.170 mail-vx0-f170.google.com Received: from [209.85.220.170] ([209.85.220.170:64970] helo=mail-vx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 46/12-36454-A6F958F4 for ; Wed, 11 Apr 2012 11:12:43 -0400 Received: by vcbfo14 with SMTP id fo14so791507vcb.29 for ; Wed, 11 Apr 2012 08:12:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:from:in-reply-to:mime-version:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=Vwbz0zu+gfN6ysH0bi10ZvJHYFwVnwhfmYmpag3pyrg=; b=kC6tWl/8geynnVi3XvlE2+MmgWx+VtauFwRyZ3x0d91cEqgGmhj1Bc9vGFO5XAeRPT P353r+hAiUadoqWnegp/ZeUsyIzvPGyMi0cgtBMz7B6rFsp2pIG0gP9Q8kixrzAN3JJc pkDixleXkbY0R6aSC7gz1NFj1aac90kzrLrtEBSX64qHLb/sGJ9U0CObRQjAEt8Uzdha izd2LiEd/6LoqqWXd7PVEf+mDm8FWN1ANmFfu+1MkFh1jq363HceXlQ4DCDlVtInZFYi tH5oRulvDjvLfDeuGfj8XNo6KgfVEJCfwNfP8CApVFH1bERYOp6+akXGUmINCyo6u5wV pipw== Received: by 10.220.31.3 with SMTP id w3mr7947656vcc.21.1334157159956; Wed, 11 Apr 2012 08:12:39 -0700 (PDT) References: <4F850D06.10701@sugarcrm.com> <4F8515AF.8060706@sugarcrm.com> <4F851FE4.7000706@sugarcrm.com> <4F8539E0.1090701@sugarcrm.com> <4F859063.1010401@lerdorf.com> In-Reply-To: <4F859063.1010401@lerdorf.com> Mime-Version: 1.0 (1.0) Date: Wed, 11 Apr 2012 08:12:37 -0700 Message-ID: <-3427386339833244777@unknownmsgid> To: Rasmus Lerdorf Cc: Stas Malyshev , Yasuo Ohgaki , "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQk9C5HOLywUeJEXjJYfx/FoLXmtScitIRNBLmuBOdbUFXAVXfU0xtr3S0uXJMplpul7rWjV Subject: Re: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options From: luke@cywh.com (Luke Scott) Hey Rasmus, Here are my thoughts: On Apr 11, 2012, at 7:09 AM, Rasmus Lerdorf wrote: > On 04/11/2012 12:59 AM, Stas Malyshev wrote: >>> Therefore, it should not be misunderstood as perfect LFI >>> countermeasure even if I stressed on security meanings. >>> I'm stressing security because this actually helps PHP being >>> much safer than now. >> >> I don't see how it is "much safer". Exactly the same problem exists. Not >> only it is not "perfect" countermeasure, it's not countermeasure at all, >> judging from your description. It's like saying "I have SQL injection >> protection, but only if word "please" is not part of the SQL injection". >> It's not a real protection then. > > I guess he is saying that it prevents: > > Random bytes > > More random bytes > > Where random bytes might be an image file so finfo_file() might identify > it as a valid image whereas it doesn't prevent: > > > Random bytes > > from being mistakenly included. And I guess a secondary thing it might > prevent is an include of something like /etc/passwd since there is no > valid PHP code there and it would error out. Isn't this determined by the web server, not PHP? The only way this would happen is if image files were sent to the PHP interpreter or the image had a .php. In both cases it's the server admins responsibility to make sure the web server doesn't send any file from an upload folder to the PHP interpreter, with a .PHP extension or not. The programmer should also be mindful of what extensions are being allowed to go in the upload folder incase the server admin was negligent. The only benefit is only having to check the start of the file for a So, those are the pros. The cons are: > > 1. Creating a new mode for PHP that essentially breaks most existing PHP > code if this mode is enabled puts more pressure on people trying to > write portable code. It would encourage them to never use templating > mode since non-templating mode is the only safe approach that would work > regardless of the configuration. Much the same way that all portable > code uses is disallowed. Tom's RFC calls for template mode to remain the default, but allow you to add a flag to require/include to interpret the script in "pure mode". Allowing an optional starting in the middle of a class (which most people already do voluntarily). > 2. Templating is a defining characteristic of PHP. For many people it is > the primary reason they even use PHP. Adding a feature that would > essentially discourage use of a defining feature of PHP is illogical. True. People are side stepping this though for template engines such as Twig, PHPTAL, Smarty (ug..), just to name a few. PHP is being used more as a programming language than a template engine. People have already naturally gravitated towards keeping their code separate. Toms proposal of a code and template mode makes sense. It clearly separates the two. You could theoretically enhance the template part. Like I love the idea of PHPTAL - I wrote a similar template engine that uses attributes to convey logic (data-if, for example). Attribute syntax preserves the design of a template. Right now I have to parse this and convert this to a PHP class. Wouldn't it be great if PHP did this in its template mode? Or easily allowed people to provide alternate "template engines" that required no pre-parsing in PHP (other than the usual code to opcode transformation)? > 3. For the /etc/passwd case, the syntax error might reveal enough data > about the contents of the file that this doesn't actually provide enough > of a benefit unless we also heavily redact what we show in a syntax > error. Of course, the argument here is not to show the error to users, > but people who write code with include $_GET['filename'] aren't likely > to follow best practices in the first place. > > 4. Only protecting against mid-script injections and not top-of-script > injections is a somewhat subtle concept when the real problem is the > vulnerable include $_GET['filename'] hole. If this really is a prevalent > problem, maybe instead of trying to mitigate the symptoms, why don't we > try to attack the actual cause of the problem. I would love to hear some > ideas along those lines that don't fundamentally change the nature of > PHP for somewhat cloudy benefits. The problem is people are doing that. The solution is they should stop doing that. Anyone doing this is asking for trouble. The fix is better education. In the end while I do support the idea of not allowing "embed mode" (as a choice when doing require/include), I cannot support the idea that it somehow makes things more secure. Luke