Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72486 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 57782 invoked from network); 11 Feb 2014 23:34:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Feb 2014 23:34:17 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.170 mail-lb0-f170.google.com Received: from [209.85.217.170] ([209.85.217.170:50665] helo=mail-lb0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B9/60-55284-773BAF25 for ; Tue, 11 Feb 2014 18:34:16 -0500 Received: by mail-lb0-f170.google.com with SMTP id u14so6492794lbd.15 for ; Tue, 11 Feb 2014 15:34:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=xgJiMT1e21hu1TmSCWHVolxsHaPNIWq81wyi3DoqCCE=; b=htplssTki3MSitulmxf90OiOnDweUKNa68Y+h32qQjhn5Bmo5lOBgahfEHjwkkV9iJ pnahshXeKXjJSwnPWDlDmL+QGHdVhxZYgU2Nc11ytScZ+yEOhpykH16mrj5TYRKyogGU JuaVhJejfbiuZLTDhWqGRvzFvaE4jOPzHSMbxHSy4ODm/zWDehyhD7h5BnESGYXF2Atz E/2GWT7n7XZZ7yyZRzsCdENvj+Y8WxZGl0TMt7fEapQwlHdOzHEvsRKwXUD+hc6/qfDw TY6rVi0kkoN9ABLULX+5I6cNK3VDTK16XJFEywgQm2lMPyrgDZv4Sd9zkjN8EqTKJy5x Afqw== X-Received: by 10.112.114.228 with SMTP id jj4mr27041801lbb.13.1392161652717; Tue, 11 Feb 2014 15:34:12 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Tue, 11 Feb 2014 15:33:32 -0800 (PST) In-Reply-To: References: <52FA67A4.3030708@lerdorf.com> Date: Wed, 12 Feb 2014 08:33:32 +0900 X-Google-Sender-Auth: Pnz1KUY7HSfHrFiJ3aGquRr6LVs Message-ID: To: Rasmus Lerdorf Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1134cbfcc7bd3104f229e4a8 Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1134cbfcc7bd3104f229e4a8 Content-Type: text/plain; charset=UTF-8 Hi Rasmus, On Wed, Feb 12, 2014 at 8:13 AM, Yasuo Ohgaki wrote: > On Wed, Feb 12, 2014 at 3:10 AM, Rasmus Lerdorf wrote: > >> On 2/11/14, 9:42 AM, Yasuo Ohgaki wrote: >> > Let me rephrase. Does anyone argue that the fact >> > >> > Local script inclusion is *much grater security threat* than local >> script >> > expose. >> > >> > "Local script expose" is the only drawback of this RFC. >> > Currently, insecure include()/require() allows script execution. >> > With this RFC, insecure include()/require() may allow script expose. >> > >> > Latter is obvious error as it shows wrong behavior while script >> execution >> > is >> > not obvious at all. If user care to script expose, they can simply add >> > "> > at the top of script as it is now. >> > >> > We can make secure program with register_globals=On as well as embed >> > everything by default. The same argument applies here. IMHO. >> >> You need 2 things to go wrong though. 1st, you need a way for someone to >> upload arbitrary files, and second, you need a include $_GET['filename'] >> somewhere. However, if you think about it, the include part is >> completely secondary, if you can upload arbitrary files you can just >> request them directly in order to execute them so the include part is >> irrelevant. >> > > I'm aware of this issue. That's the reason why I added > script()/script_once() > to original proposal. (include()/require() works as it is now. For > compatibility, > users may simply wrap include() to have script() for older PHP) > I forgot to mention 2nd. I usually disable engine for upload directory by httpd.conf or do not allow to upload anything under webroot. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1134cbfcc7bd3104f229e4a8--