Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72485
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55911 invoked from network); 11 Feb 2014 23:14:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Feb 2014 23:14:15 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.171 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.171 mail-lb0-f171.google.com  
Received: from [209.85.217.171] ([209.85.217.171:62033] helo=mail-lb0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 6D/00-55284-5CEAAF25 for <internals@lists.php.net>; Tue, 11 Feb 2014 18:14:14 -0500
Received: by mail-lb0-f171.google.com with SMTP id c11so6452032lbj.16
        for <internals@lists.php.net>; Tue, 11 Feb 2014 15:14:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=aLg6/tOFFVniFRQG+AxD7J13gBHE72ZY072xuBt7dqA=;
        b=0yAMfNCXu0+c32vPU+6FQdcScmCtdogvpx1bosfrMQm8MaS54OEycfWNrEzhRbQgbN
         M0deWVTvxWGtQygkkg3eHRXykKl2JYwoaPv1uhE+f43B1lkSfM++m+jD/k1cKdkIWxZI
         ZyC493EhJDlP8xg0KhLvtxa2t0RluSni39lbWZ0kEIKMKYMNDU9/w7IJZ/bZqzo5+47M
         m9xuOqNqvAcbWt8dXquIbJW1wHDQF1DWotAyrhaUaODM8jTcvJTBn9UhKEk2tw0hnyJZ
         3IaTlmqKDhDJ11tvICQcwwfBfkyxGpMamX57fUFmEMdocEFtQh3XzsCPerhlnYVTjTYn
         Ap0Q==
X-Received: by 10.112.138.233 with SMTP id qt9mr8446246lbb.34.1392160450450;
 Tue, 11 Feb 2014 15:14:10 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Tue, 11 Feb 2014 15:13:30 -0800 (PST)
In-Reply-To: <52FA67A4.3030708@lerdorf.com>
References: <CAGa2bXYU0+eVgnDCkqpG6AWvLCX9gV3+5nzoeD-RJge8Rtw-dQ@mail.gmail.com>
 <CAGa2bXZCBxJczqX6FKz0T0_iV9LzdeHkw46c17NQsanuCCJ9rA@mail.gmail.com> <52FA67A4.3030708@lerdorf.com>
Date: Wed, 12 Feb 2014 08:13:30 +0900
X-Google-Sender-Auth: E8ImCtXsovV9d-9dT4tD_PaTTSE
Message-ID: <CAGa2bXaHTCx+8=BJH-L+KqANo9NtEML3cp2sJqgv1jmGLYXaGg@mail.gmail.com>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e012297101e987504f2299d94
Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e012297101e987504f2299d94
Content-Type: text/plain; charset=UTF-8

Hi Rasmus,

On Wed, Feb 12, 2014 at 3:10 AM, Rasmus Lerdorf <rasmus@lerdorf.com> wrote:

> On 2/11/14, 9:42 AM, Yasuo Ohgaki wrote:
> > Let me rephrase. Does anyone argue that the fact
> >
> > Local script inclusion is *much grater security threat* than local script
> > expose.
> >
> > "Local script expose" is the only drawback of this RFC.
> > Currently, insecure include()/require() allows script execution.
> > With this RFC, insecure include()/require() may allow script expose.
> >
> > Latter is obvious error as it shows wrong behavior while script execution
> > is
> > not obvious at all. If user care to script expose, they can simply add
> > "<?php"
> > at the top of script as it is now.
> >
> > We can make secure program with register_globals=On as well as embed
> > everything by default. The same argument applies here. IMHO.
>
> You need 2 things to go wrong though. 1st, you need a way for someone to
> upload arbitrary files, and second, you need a include $_GET['filename']
> somewhere. However, if you think about it, the include part is
> completely secondary, if you can upload arbitrary files you can just
> request them directly in order to execute them so the include part is
> irrelevant.
>

I'm aware of this issue. That's the reason why I added
script()/script_once()
to original proposal. (include()/require() works as it is now. For
compatibility,
users may simply wrap include() to have script() for older PHP)

Or, if you remove the arbitrary upload part you are down to only being
> able to include already existing files but most files don't actually do
> anything on their own. PHP files tend to either be top-level template
> files designed to be shown to the user, or they contain functions or
> classes which do nothing until called. The act of including them
> typically doesn't actually execute any code. So yes, in my view script
> exposure is a more serious problem than script execution from an
> insecure include so your suggested change would make things worse, not
> better.


Attackers can use script inclusion to do anything, including reading
scripts and
any other security sensitive files. They can do more than reading with LFI.
Therefore, LFI is worse than script exposure to me.

I like the way PHP works. Embedded script nice for web applications and we
should not drop it, but it's better for security  if it is restricted to
only where
it is needed.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e012297101e987504f2299d94--