Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73760
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 32939 invoked from network); 22 Apr 2014 02:23:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Apr 2014 02:23:06 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.176 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.176 mail-lb0-f176.google.com  
Received: from [209.85.217.176] ([209.85.217.176:59592] helo=mail-lb0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 80/70-29321-882D5535 for <internals@lists.php.net>; Mon, 21 Apr 2014 22:23:05 -0400
Received: by mail-lb0-f176.google.com with SMTP id 10so3709654lbg.7
        for <internals@lists.php.net>; Mon, 21 Apr 2014 19:23:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=rmel0o6RWs1UzOTCaE7RPZfeXa1RPW+GLZBQhEG6erQ=;
        b=PpDsc6IoAFclxP8isrD/GlyevdIe3jhzyZc89B0zDWorymXPVg7lkfTFtSZUFDzoXQ
         SPCS+zbVoCmSM0ISPxTxuuWNcLVk5eB/5TrsXyC/jhLNd3sn/NgSnuKZKRfFEtlcfae9
         dr8WjYAWG7ZKB/Tn3APOP8oE/+rTVtgeDezGPLBhDUUwQ+hdDCuUjRESrGkjJFyhQ0kA
         2HB0b9LGI7pctkSTsd3ntiSc7RBLa8HRfYU3LfKddlKOW/m69gdnkwX2P8EfU/JQvNAT
         AQsBhI6QfvEPVPi0w0Ht6AneFC5u16zdSybiOPsxXcvx98YOB9Q6YPGW3hBu409UuzAb
         6nJA==
X-Received: by 10.112.13.72 with SMTP id f8mr168644lbc.40.1398133382194; Mon,
 21 Apr 2014 19:23:02 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.205.73 with HTTP; Mon, 21 Apr 2014 19:22:22 -0700 (PDT)
In-Reply-To: <CAGa2bXZBchBkaCye=1nx+SU+hdoZOt7_8+XhcM9u9Fu8ERdC8Q@mail.gmail.com>
References: <CA+kxMuQsoLhGgfPs5QN7tG18+HwM=6x=8W2ijyZ-O0u3BVtOMQ@mail.gmail.com>
 <CAGa2bXbkf6nwhR-umVg6AfO3boWD9Rpfp+pvYZRqjEq3ZgNwpw@mail.gmail.com>
 <CA+kxMuR-6vyMXvfnAwVwcH9+vk8TQ3w5Tb0gtQu4gNeTPdSybA@mail.gmail.com>
 <CAGa2bXaPzozXZ5dNu53EjJL+aToUR34GEnBHSBGRSzb1NXJe8Q@mail.gmail.com>
 <CA+kxMuSTATXDe800m1GQWxQZ8AA3MwEG9bgD1MB6e6cYJ=1voA@mail.gmail.com>
 <CAGa2bXb-0Bo_6E_5cSv_HvVAepeoRtdUZCy00PpROFNktHnKSA@mail.gmail.com>
 <CA+kxMuTPs053F3dz=-4Tar9tUJzW8wqspt83ccEAnZjdU9NXkA@mail.gmail.com>
 <CAGa2bXZ+6cX4vaOaEcX799VLEvs5MCgBtc5Ffz9zMLM5S12GWQ@mail.gmail.com>
 <52FF3BB7.8030408@lsces.co.uk> <CAGa2bXZ9dEhZxd_E+O7ofKA2rt+Qy1gRaeBrvEas4Ea_PeGTcQ@mail.gmail.com>
 <52FF465E.4040400@lsces.co.uk> <CAGa2bXa3Fj_2DF9CcOJRatLkE2uRFfkU+mVZ-7hq0RyO9FRYtw@mail.gmail.com>
 <CAEKnhAELLpTh45E8aBw_=Zq4pgXcD9vMm7jxockCHkX4wzn58A@mail.gmail.com>
 <CAEKnhAE+SzfxZ0P61B51tB3jt9T78hs2s0x_3F51rFXjpyzmLg@mail.gmail.com>
 <5355A48D.7050600@sugarcrm.com> <CAGa2bXZBchBkaCye=1nx+SU+hdoZOt7_8+XhcM9u9Fu8ERdC8Q@mail.gmail.com>
Date: Tue, 22 Apr 2014 11:22:22 +0900
X-Google-Sender-Auth: XvoNLsUBctsN0I6toNahsMxvBTM
Message-ID: <CAGa2bXbjRzR9JQvKz3aQa1v-xno-d8NLhBCrcSPoHP5T6JBB0A@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: Jakub Zelenka <bukka@php.net>, Lester Caine <lester@lsces.co.uk>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3ee6a982c9404f7984bfc
Subject: Re: [PHP-DEV] utf-8 filenames in phar files.
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c3ee6a982c9404f7984bfc
Content-Type: text/plain; charset=UTF-8

On Tue, Apr 22, 2014 at 11:13 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> On Tue, Apr 22, 2014 at 8:06 AM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:
>
>> > I have created a quick PR: https://github.com/php/php-src/pull/649 that
>> > is fixing the ill-formed UTF-8 paths.
>>
>> Thanks for the patch. One thing I'd like to understand is what is the
>> added value of being so strict in checking UTF-8. I.e. what would happen
>> if we allow some path with weird chars in?
>
>
> Although invalid encoding would not be security issues by itselves,
> invalid encoding
> creates various uncertainties. There are/were many ways to use it to
> exploit.
> e.g. Old browsers had _many_ security issues with ill-formed strings.
> One valid example I can think of right now is filter evasion.
>
> http://capec.mitre.org/data/definitions/80.html
>
> Another is DoS. Browsers may refuse to render page at all when there is
> ill-formed
> strings. e.g. Recent Chrome. Yet another is injections. i.e If user
> assumes path name
> encoding is UTF-8 and didn't escape, their program could be vulnerable to
> injections.
>
> Other programs are getting better to deal with invalid encodings, but
> leaving invalid
> encoding relies on other programmer's code for proper/safe operations.
> This is not good.
> Any external inputs that have certain form must be validated where it is
> possible.
> This way, we would not leave uncertainties/risks.
>

BTW, without NFC normalization, I sure there will be unhappy users if users
use it with
OSX and Linux/Windows. OSX decomposes Unicode and there will be the same
name
path with different unicode string that appears the same on their
terminal/etc on Linux/Windows.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c3ee6a982c9404f7984bfc--