Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72833 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26998 invoked from network); 26 Feb 2014 21:24:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Feb 2014 21:24:16 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.46 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.46 mail-la0-f46.google.com Received: from [209.85.215.46] ([209.85.215.46:65502] helo=mail-la0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FB/B5-33783-E7B5E035 for ; Wed, 26 Feb 2014 16:24:15 -0500 Received: by mail-la0-f46.google.com with SMTP id hr17so1066658lab.33 for ; Wed, 26 Feb 2014 13:24:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=oPJgyNOj3T29HZNCBMUHYDanEMfWyzQ3OWEi2aJcA48=; b=Kr8GMGDhoCVPc1i3/u8kTccwzISXSaipc+UlVOdUZykZftTp6xDVj///xvbKIrX6RS cyo3Ji1iuTGRtVNms10nJ0kQRpYIWtD2anLSWnm3xG2og+zXh5HNeBZfxDwFgQUjWLJj xAMk4xWOKwbZh3w5W9ZxKFlfMAf9BskSDcDyrCTp19t4ZYcY2P0QE4MuzB6mDC4EEASk rJHt4HhxDCMf+r/LxS0oZBMSbb82vhIYaWfAeSGAT5QVAtpx5YDw3ynarQr+YcTw69By 7HnxvlzafZoeU/ihXtoCHbfG67iQeqmzmidzZKNq0aSjHxLJfx/r2a7SyOy9Zj+uw0ED C5XQ== X-Received: by 10.112.205.5 with SMTP id lc5mr3696748lbc.40.1393449852292; Wed, 26 Feb 2014 13:24:12 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.205.102 with HTTP; Wed, 26 Feb 2014 13:23:32 -0800 (PST) In-Reply-To: <530DD588.1000407@sugarcrm.com> References: <530C3C7B.8080907@sugarcrm.com> <530C77F8.2060809@sugarcrm.com> <1393328380.5233.45.camel@guybrush> <530DD588.1000407@sugarcrm.com> Date: Thu, 27 Feb 2014 06:23:32 +0900 X-Google-Sender-Auth: gUdv5Lah1_KlebTewADyoV1aksw Message-ID: To: Stas Malyshev Cc: =?UTF-8?Q?Johannes_Schl=C3=BCter?= , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c3ce3275541804f355d3ff Subject: Re: [PHP-DEV] Resolution for ver_export()/addslashes() encoding based script execution attack? From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c3ce3275541804f355d3ff Content-Type: text/plain; charset=UTF-8 Hi Stas, On Wed, Feb 26, 2014 at 8:52 PM, Stas Malyshev wrote: > > The situation around var_export() is a bit more complicated. > > var_export() is used to create application configuration, cache data > > etc. so one might expect the PHP which created that to be able to read > > that, again. Doing this isn't easy, though, as it makes the generated > > file non-portable. > > Are you suggesting if var_export generates the data it may not be > readable by standard PHP? Or by PHP running with specific > script_encoding like SJIS? If the latter, I think var_export to generate > valid SJIS data is hard to achieve, since SJIS is not ASCII-compatible. I think you've mailed this before reading my mail to you. PHP supports SJIS and the like. Escape functions should provide safe escaping like databases. The only way to solve this issue is encoding aware escape which databases adopted years ago. I'm proposing known vulnerability with known method to fix. BTW, users who do not have to worry about this are not affected by proposed change. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c3ce3275541804f355d3ff--