Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72461
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97496 invoked from network); 11 Feb 2014 18:10:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Feb 2014 18:10:51 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.216.48 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.216.48 mail-qa0-f48.google.com  
Received: from [209.85.216.48] ([209.85.216.48:38217] helo=mail-qa0-f48.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E7/67-62230-AA76AF25 for <internals@lists.php.net>; Tue, 11 Feb 2014 13:10:50 -0500
Received: by mail-qa0-f48.google.com with SMTP id f11so12159932qae.7
        for <internals@lists.php.net>; Tue, 11 Feb 2014 10:10:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
         :subject:references:in-reply-to:content-type;
        bh=JY/gl9H0LdGwf7wjVunCDxkW+JDhMWC0fb/7hFx3kMw=;
        b=VkufCOwxI8/qmGFMuRBp4JCVKbB1qvmvz3kXzxN9bvUFQqovutaokwHSzXH31xNMpw
         Fx994GtI2LHAPQ6h9P3Bsv0m/WWWueVq8xOrv5Dpd2Dg98Md91ov1YuSAQXbGvaPGIk8
         9EDOexPg61zdqchnaLbRAAuyO6rULEj6W0+Gl1ujOSgh26ia02CTF957B3yJb4HTP9nn
         UdJKFz5wbVgBhTR5TYKycgMUvG8YYq9u9p9x05TTnI25ncsVjfp6jPbUp/wKH8egnBKD
         YqE5ESS01RAv5x+mtDl8gUtHURG1ItWgLN0zPVKboqDN5NsZgFVZ+K+WkohmiJhyZKcV
         HIag==
X-Gm-Message-State: ALoCoQks0SQIK+JupMGaapnz67X/xF78F4cejb/l/IVK+AUE4OGcTawBuOg/Ti3YYQ/0MRcFqU6y
X-Received: by 10.224.34.71 with SMTP id k7mr59893221qad.15.1392142246977;
        Tue, 11 Feb 2014 10:10:46 -0800 (PST)
Received: from [192.168.200.30] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225])
        by mx.google.com with ESMTPSA id l40sm29776029qga.13.2014.02.11.10.10.45
        for <multiple recipients>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Tue, 11 Feb 2014 10:10:45 -0800 (PST)
Message-ID: <52FA67A4.3030708@lerdorf.com>
Date: Tue, 11 Feb 2014 10:10:44 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXYU0+eVgnDCkqpG6AWvLCX9gV3+5nzoeD-RJge8Rtw-dQ@mail.gmail.com> <CAGa2bXZCBxJczqX6FKz0T0_iV9LzdeHkw46c17NQsanuCCJ9rA@mail.gmail.com>
In-Reply-To: <CAGa2bXZCBxJczqX6FKz0T0_iV9LzdeHkw46c17NQsanuCCJ9rA@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="tw9N9TgEsrEONHdO3S5sE0sQLs4mf4dK2"
Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags
From: rasmus@lerdorf.com (Rasmus Lerdorf)

--tw9N9TgEsrEONHdO3S5sE0sQLs4mf4dK2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 2/11/14, 9:42 AM, Yasuo Ohgaki wrote:
> Let me rephrase. Does anyone argue that the fact
>=20
> Local script inclusion is *much grater security threat* than local scri=
pt
> expose.
>=20
> "Local script expose" is the only drawback of this RFC.
> Currently, insecure include()/require() allows script execution.
> With this RFC, insecure include()/require() may allow script expose.
>=20
> Latter is obvious error as it shows wrong behavior while script executi=
on
> is
> not obvious at all. If user care to script expose, they can simply add
> "<?php"
> at the top of script as it is now.
>=20
> We can make secure program with register_globals=3DOn as well as embed
> everything by default. The same argument applies here. IMHO.

You need 2 things to go wrong though. 1st, you need a way for someone to
upload arbitrary files, and second, you need a include $_GET['filename']
somewhere. However, if you think about it, the include part is
completely secondary, if you can upload arbitrary files you can just
request them directly in order to execute them so the include part is
irrelevant.

Or, if you remove the arbitrary upload part you are down to only being
able to include already existing files but most files don't actually do
anything on their own. PHP files tend to either be top-level template
files designed to be shown to the user, or they contain functions or
classes which do nothing until called. The act of including them
typically doesn't actually execute any code. So yes, in my view script
exposure is a more serious problem than script execution from an
insecure include so your suggested change would make things worse, not
better.

-Rasmus


--tw9N9TgEsrEONHdO3S5sE0sQLs4mf4dK2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlL6Z6QACgkQlxayKTuqOuD9XQCfe3JcSW8jPBW+AABJ0CNxRLC8
07sAnjY1P0Xjt/UZgnL6vaTHRfVSR+sp
=tPui
-----END PGP SIGNATURE-----

--tw9N9TgEsrEONHdO3S5sE0sQLs4mf4dK2--