Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73759 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 31291 invoked from network); 22 Apr 2014 02:14:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Apr 2014 02:14:00 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.180 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.180 mail-lb0-f180.google.com Received: from [209.85.217.180] ([209.85.217.180:44253] helo=mail-lb0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7C/10-29321-660D5535 for ; Mon, 21 Apr 2014 22:13:59 -0400 Received: by mail-lb0-f180.google.com with SMTP id 10so3717068lbg.39 for ; Mon, 21 Apr 2014 19:13:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=K81CRGj5moUKfQOQWO/mNXg2ByNq1/2oadcpiuGnO3E=; b=H/DGpLY6KCBh3ablPv2PCv0J3IsBMG/YbHES8Ztb5hkDWROYi+Gx9Ih9h8iw3gzY0C 62WNsabdDON9dBYR4mJXEr6dpDNx/U4cd+jED1G18lPgFrmvkzzz5dt/gUU8vwPpfHGk Fl6L+jobrz2JY7rm1SmuyFMWnoqmQ+lmZqihmCWwUnYxb80kP75b9QstN7IiDEKN9WsH UMvUO4/YwEhFsWUyc9qxlfVFR/BkrzkDszGoDmCTKON7TeY2XKFRDgNjBTXgCCw/la74 jjOkwy/v9JCyzpa0ZhjxYLbf4b77YFxfCMT/qVWNXOpVSpiBMaRLlbZh4ydMaTVAcjbu 6WBg== X-Received: by 10.153.7.69 with SMTP id da5mr147285lad.38.1398132835292; Mon, 21 Apr 2014 19:13:55 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.205.73 with HTTP; Mon, 21 Apr 2014 19:13:14 -0700 (PDT) In-Reply-To: <5355A48D.7050600@sugarcrm.com> References: <52FF3BB7.8030408@lsces.co.uk> <52FF465E.4040400@lsces.co.uk> <5355A48D.7050600@sugarcrm.com> Date: Tue, 22 Apr 2014 11:13:14 +0900 X-Google-Sender-Auth: EIWwzjksDlG9gdR7zhdiYwRHAmc Message-ID: To: Stas Malyshev Cc: Jakub Zelenka , Lester Caine , PHP internals Content-Type: multipart/alternative; boundary=001a11345630ff1f3e04f7982ad1 Subject: Re: [PHP-DEV] utf-8 filenames in phar files. From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11345630ff1f3e04f7982ad1 Content-Type: text/plain; charset=UTF-8 Hi Stas, On Tue, Apr 22, 2014 at 8:06 AM, Stas Malyshev wrote: > > I have created a quick PR: https://github.com/php/php-src/pull/649 that > > is fixing the ill-formed UTF-8 paths. > > Thanks for the patch. One thing I'd like to understand is what is the > added value of being so strict in checking UTF-8. I.e. what would happen > if we allow some path with weird chars in? Although invalid encoding would not be security issues by itselves, invalid encoding creates various uncertainties. There are/were many ways to use it to exploit. e.g. Old browsers had _many_ security issues with ill-formed strings. One valid example I can think of right now is filter evasion. http://capec.mitre.org/data/definitions/80.html Another is DoS. Browsers may refuse to render page at all when there is ill-formed strings. e.g. Recent Chrome. Yet another is injections. i.e If user assumes path name encoding is UTF-8 and didn't escape, their program could be vulnerable to injections. Other programs are getting better to deal with invalid encodings, but leaving invalid encoding relies on other programmer's code for proper/safe operations. This is not good. Any external inputs that have certain form must be validated where it is possible. This way, we would not leave uncertainties/risks. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11345630ff1f3e04f7982ad1--