Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72556
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 94380 invoked from network); 13 Feb 2014 15:07:48 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Feb 2014 15:07:48 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.213.43 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.213.43 mail-yh0-f43.google.com  
Received: from [209.85.213.43] ([209.85.213.43:45642] helo=mail-yh0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7C/C2-09050-2CFDCF25 for <internals@lists.php.net>; Thu, 13 Feb 2014 10:07:47 -0500
Received: by mail-yh0-f43.google.com with SMTP id z6so10174566yhz.16
        for <internals@lists.php.net>; Thu, 13 Feb 2014 07:07:43 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
         :cc:subject:references:in-reply-to:content-type
         :content-transfer-encoding;
        bh=w4gJUzXZnrNxY4VwaR5Bhl+O5NpGR9Q3tbus5J4LovQ=;
        b=gVcbYw3YXtq9AyJlsLYsKceHPOIBODeXHXGdk2/HCL0ICdCMNucsCHQ4uHrfGx20Ot
         jlgPOu29loYJvYIRkY8PUOqLsV46tpkNEbnqx8WR8/TCDyCYinzEWJP3dt4ctMXM7t0l
         TgCjl/QfdWx7/kh5URPV54V9BDHSvDAkIequw13o6SZfOv58kdTEVOp825xX1lHzGTDM
         Y/2zZoNxpgJ+pCAUBP2U+FiMY0tdqxQ4rt+niuym//9XsWJi2OQ+k5CzmhaIf5iJ81qY
         9bM+75c4NY0ENwlm2cNebPmQf0T0vcV3mIS/WTiWvVObiTD5rnLLCtbcymjyZc9hOL3R
         PRHA==
X-Gm-Message-State: ALoCoQkLIB+U+fDPwzSVXkKNhmumh/wzBBJSWTdYyUhdqf+li1k1igxkizk1//Bh8cyLvEVLXxQc
X-Received: by 10.236.63.135 with SMTP id a7mr1694200yhd.84.1392304063586;
        Thu, 13 Feb 2014 07:07:43 -0800 (PST)
Received: from [192.168.103.117] (c-50-154-145-223.hsd1.fl.comcast.net. [50.154.145.223])
        by mx.google.com with ESMTPSA id b24sm6697445yhl.25.2014.02.13.07.07.42
        for <multiple recipients>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Thu, 13 Feb 2014 07:07:42 -0800 (PST)
Message-ID: <52FCDFBD.80901@lerdorf.com>
Date: Thu, 13 Feb 2014 07:07:41 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXYU0+eVgnDCkqpG6AWvLCX9gV3+5nzoeD-RJge8Rtw-dQ@mail.gmail.com> <CAGa2bXZCBxJczqX6FKz0T0_iV9LzdeHkw46c17NQsanuCCJ9rA@mail.gmail.com> <52FBF8F8.5040107@gmail.com> <CAGa2bXb=2fJisj90HY6ojMKmJeFFGbTwn6J1vZayzxBTLz7fBQ@mail.gmail.com>
In-Reply-To: <CAGa2bXb=2fJisj90HY6ojMKmJeFFGbTwn6J1vZayzxBTLz7fBQ@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags
From: rasmus@lerdorf.com (Rasmus Lerdorf)

On 02/12/2014 05:30 PM, Yasuo Ohgaki wrote:
> I think you have enough skill to prevent script inclusion attacks. However,
> all PHP users are not. Take a look at vulnerability reports, you'll find
> number of LFI that could be prevented by this RFC.
> 
> http://packetstormsecurity.com/search/?q=LFI
> 
> These are only reported LFI vulnerabilities and there are countless
> vulnerable scripts in the wild.
> 
> I don't see any reason to keep doors open for attackers. We are better to
> close as many doors as possible, especially for fatal disaster(script
> execution).
> 
> Thank you for the comment!
> 
> Regards,
> 
> P.S. I was added script()/script_once() to the original RFC. However, it
> may be easier for users to have template()/template_once() that parses file
> as embedded PHP script mode always and keep include()/require() for script
> inclusion. This way, users do not have to rewrite include()/require() to
> script(). Anyone has any comments?

I just went through about 20 LFIs at
http://packetstormsecurity.com/search/?q=LFI and in every single case an
appropriately set open_basedir would have prevented the LFI. That seems
pretty definitive to me. The feature to prevent LFI is already there. We
do not need another one. Especially one that introduces a confusing
distinction between scripts and templates which really has nothing to do
with the underlying problem.

So the real problem is two-fold. People are making these mistakes in the
first place, and second, they are not coding defensively and setting
open_basedir. You are still asking people to actively make a defensive
coding change with this RFC, but the people who make these mistakes and
don't code defensively aren't suddenly going to change so they would not
benefit.

-Rasmus