Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:81448 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 6965 invoked from network); 30 Jan 2015 19:18:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jan 2015 19:18:00 -0000 Authentication-Results: pb1.pair.com header.from=php@bof.de; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=php@bof.de; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain bof.de designates 80.242.145.70 as permitted sender) X-PHP-List-Original-Sender: php@bof.de X-Host-Fingerprint: 80.242.145.70 mars.intermailgate.com Received: from [80.242.145.70] ([80.242.145.70:35247] helo=mars.intermailgate.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 67/71-34022-7E8DBC45 for ; Fri, 30 Jan 2015 14:18:00 -0500 Received: (qmail 12228 invoked by uid 1009); 30 Jan 2015 20:17:56 +0100 Received: from 209.85.216.47 by mars (envelope-from , uid 89) with qmail-scanner-1.25-st-qms (clamdscan: 0.96.2/19998. spamassassin: 3.3.1. perlscan: 1.25-st-qms. Clear:RC:1(209.85.216.47):. Processed in 0.26457 secs); 30 Jan 2015 19:17:56 -0000 X-Antivirus-MYDOMAIN-Mail-From: php@bof.de via mars X-Antivirus-MYDOMAIN: 1.25-st-qms (Clear:RC:1(209.85.216.47):. Processed in 0.26457 secs Process 12212) Received: from mail-qa0-f47.google.com (gmail@bof.de@209.85.216.47) by mars.intermailgate.com with RC4-SHA encrypted SMTP; 30 Jan 2015 20:17:56 +0100 Received: by mail-qa0-f47.google.com with SMTP id n8so21399756qaq.6 for ; Fri, 30 Jan 2015 11:17:55 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.224.54.67 with SMTP id p3mr15478513qag.96.1422645475348; Fri, 30 Jan 2015 11:17:55 -0800 (PST) Received: by 10.140.94.104 with HTTP; Fri, 30 Jan 2015 11:17:55 -0800 (PST) Received: by 10.140.94.104 with HTTP; Fri, 30 Jan 2015 11:17:55 -0800 (PST) Date: Fri, 30 Jan 2015 20:17:55 +0100 Message-ID: To: Leigh Cc: internals , Robert Williams Content-Type: multipart/alternative; boundary=001a1132eef4331b39050de37604 Subject: Re: [PHP-DEV] How does the PHP Ghost one-liner work From: php@bof.de (Patrick Schaaf) --001a1132eef4331b39050de37604 Content-Type: text/plain; charset=UTF-8 Am 30.01.2015 20:09 schrieb "Leigh" : > > Well, I guess in theory we should be limiting the size of input to > gethostbyname to 255 characters. Yeah, but in theory the C library gethostbyname() should do the same... There will be a lot of things that could be checked up-front instead of relying on the C layer stuff to do its work. Do you want to pre-examine pathnames regarding maximum path name lengths? Check the fopen mode parameter for posixly valid content? There's a zillion ways libc might be vulnerable. And any such up-front in PHP check might then be blessed with exploitable bugs itself... best regards Patrick --001a1132eef4331b39050de37604--