Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72493
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 78780 invoked from network); 12 Feb 2014 05:36:22 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Feb 2014 05:36:22 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.204 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.204 mail4.serversure.net Linux 2.6
Received: from [217.147.176.204] ([217.147.176.204:42348] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A2/90-07280-5580BF25 for <internals@lists.php.net>; Wed, 12 Feb 2014 00:36:21 -0500
Received: (qmail 30141 invoked by uid 89); 12 Feb 2014 05:36:18 -0000
Received: by simscan 1.3.1 ppid: 30135, pid: 30138, t: 0.1482s
         scanners: attach: 1.3.1 clamav: 0.96/m:52
Received: from unknown (HELO linux-dev4.lsces.org.uk) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 12 Feb 2014 05:36:18 -0000
Message-ID: <52FB0920.8040903@lsces.co.uk>
Date: Wed, 12 Feb 2014 05:39:44 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24
MIME-Version: 1.0
To: "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXYU0+eVgnDCkqpG6AWvLCX9gV3+5nzoeD-RJge8Rtw-dQ@mail.gmail.com> <CAGa2bXZCBxJczqX6FKz0T0_iV9LzdeHkw46c17NQsanuCCJ9rA@mail.gmail.com> <52FA67A4.3030708@lerdorf.com> <CAGa2bXaHTCx+8=BJH-L+KqANo9NtEML3cp2sJqgv1jmGLYXaGg@mail.gmail.com> <52FAB58E.3080701@lsces.co.uk> <CAGa2bXbSD2xnOfptvZZu5Bj-L1LV5n213xB5C=haAd1vX8dfog@mail.gmail.com>
In-Reply-To: <CAGa2bXbSD2xnOfptvZZu5Bj-L1LV5n213xB5C=haAd1vX8dfog@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags
From: lester@lsces.co.uk (Lester Caine)

Yasuo Ohgaki wrote:
> Does this answer to you?
> I'll reorganize the RFC from now.

I'll refer you agin to https://wiki.php.net/rfc/source_files_without_opening_tag 
which was cloulding my own reading of the new rfc! Tom's first paragraph is the 
pertinent bit ...

In the past I did my best work while sleeping. Gather all the facts and go to 
bed ... invariably I'd wake up as I have now in the early hours of the morning 
with an answer. Problem these days is simply remembering enough information to 
work with. As we get older the 20+ years old stuff remains stubbornly stable and 
we forget the new stuff! That is why as you get older you will start objecting 
to unnecessary change ... I still hit <Ctrl><C> for copy even where the 'new' 
version is <Shift><Ins> :( But as usual I'm digressing ... old age.

RFI is as far as I an tell simply a matter of of configuring the web server to 
only process .php files via PHP ? If you are allowing users to upload .PHP files 
onto your machine in a location they can then run them you have bigger problems 
than PHP.

LFI is the one that will allow corrupted files containing .php tags to run if 
you have not taken care of them while they are being uploaded. ONLY permanently 
disabling embedding will guarantee that these files do not get accidentally 
loaded. i.e. 'changes the spirit of PHP too much' ...

----
   function render_template($template, $template_vars) {
     ini_set('template_mode', 'on'); // Older PHP ignores
     include($template, $template_vars); // Or use any other method to render.
     ini_set('template_mode', 'off'); // Older PHP ignores
   }
----

Simply pushes the problem around a little and still requires that '$template' 
does not point at a file that contains embedded nasties?
include($template.'.php', $template_vars); does the job a lot easier?

Modern frameworks ... if they are well designed ... should already have 
addressed all of the holes that could allow tainted files to be accessed. 
Embedding is the essence of PHP and for many users adding a few lines of PHP to 
an essentially html document is all that is needed. They don't need the ton of 
framework code?

Smarty dropped embedded PHP from their templates in S3 'because of the security 
risk' but all it actually did was required that the problem php code in S2 
scripts was moved back into the calling PHP. It lost a LOT of flexibility and 
passed the buck rather than fixing the problem. It did not fix the risk at all. 
I don't see how this is doing any more than pushing the problem around? You 
still need to properly sanitise the material and if people want to do stupid 
things like

     ini_set('template_mode', 'on'); // Older PHP ignores
     include($_GET['template']); // Or use any other method to render.
     ini_set('template_mode', 'off'); // Older PHP ignores

can you really protect them anyway? Anybody who codes like that when the 
problems are so well advertised can't be protected except by turning off 'PHP'.

I'm sure many newer users would be better off simply ignoring embedded html 
altogether. It would make there code a lot more secure and would remove the need 
for tags, but is that then PHP?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk