Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:81903
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 49802 invoked from network); 5 Feb 2015 11:49:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Feb 2015 11:49:24 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.43 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.216.43 mail-qa0-f43.google.com  
Received: from [209.85.216.43] ([209.85.216.43:40012] helo=mail-qa0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9A/54-27691-3C853D45 for <internals@lists.php.net>; Thu, 05 Feb 2015 06:49:23 -0500
Received: by mail-qa0-f43.google.com with SMTP id v10so5418690qac.2
        for <internals@lists.php.net>; Thu, 05 Feb 2015 03:49:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=A99YgupMl+Rnq2G+3xvwMXu7Fbuw6Mqf4+JguVTQjpM=;
        b=PuYGaKqtyWAlLqLfqQ8tkbk0jhgQYt5ghIlqRRcrxX6ra4fpcI/iRzruoI4KKpokpo
         i+Ru4gEPoQ3g9zmJFRMDVTNOS/5PI9g9kz3xytV38aKiq9d4veNGAovTax7yR/+6Q8pt
         /SQf+nOodkUMniDADapdv7SJbLyJD94pP8/QF94s23JZHucRE5cVu8HJYGGwjpJnBDgE
         4ELjHsxhaQj8hUN7igxTckcJrrHhmrzQwOhvdfhkKGvZcSp6g37lLaImYmA/xxH1yBY4
         6f1o/N6XPqnmgHJTkSZQyjSbV+G2Nvk9VpAQTdBP7YWxE/t131WYo2BQxRtENlf5tAyU
         j8jw==
MIME-Version: 1.0
X-Received: by 10.224.24.132 with SMTP id v4mr7238459qab.17.1423136960997;
 Thu, 05 Feb 2015 03:49:20 -0800 (PST)
Received: by 10.96.3.168 with HTTP; Thu, 5 Feb 2015 03:49:20 -0800 (PST)
In-Reply-To: <CAGa2bXarZ4A9+HPXniAvBxEtE9KEJTYHHW8aYHCkBsNN5dRNUw@mail.gmail.com>
References: <CAGa2bXZMxxXBOQ=NdbNtzgrjjvdomV8zOr+Z4zASZU4+JHmqyw@mail.gmail.com>
	<CAGa2bXbf=hzbZ9eH6JVnMM0+6OeTQvAoqBe44g8qxFAAr9u9Kw@mail.gmail.com>
	<CAG1choq8S_EkdS22SFO+443u_LYVB-Z-b2ra6RK8sDhrJKc-VQ@mail.gmail.com>
	<CAGa2bXbJyK=2GCmGDw7PAh0ib=EL9GO7FFGf0X6VyAWqfR8EAA@mail.gmail.com>
	<CADajX4CHHdSpUfLfjhwrtdzmJfg9di4FpfeVEzBG4P7K7B+e0w@mail.gmail.com>
	<CAPwsocGh_-SYiWceEg=5go8G1bUs+CWUBb9uv_2Oh7AZhBxd8A@mail.gmail.com>
	<CAGa2bXY36wVN50sQ=MTYi+X6664+NYqMhsYFVZ9jeFZ1DXBg9Q@mail.gmail.com>
	<CAEZPtU5=vJG6=cguZfcT6RBriu8GT9vfW=Lqva8-XfEnXzZ23Q@mail.gmail.com>
	<CAGa2bXarZ4A9+HPXniAvBxEtE9KEJTYHHW8aYHCkBsNN5dRNUw@mail.gmail.com>
Date: Thu, 5 Feb 2015 18:49:20 +0700
Message-ID: <CAEZPtU4ThQHcH1hsgYaKwd2yOKAGP7obmcDH15qbDVr6CdgzSQ@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Leigh <leight@gmail.com>, Adam Harvey <aharvey@php.net>, reeze <reeze@php.net>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once()
From: pierre.php@gmail.com (Pierre Joye)

On Thu, Feb 5, 2015 at 5:47 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> Hi Pierre and all,
>
> On Thu, Feb 5, 2015 at 7:24 PM, Pierre Joye <pierre.php@gmail.com> wrote:
>>
>> >
>> >
>> > I'm proposing *SCRIPT* only inclusion. This can be done by
>> >
>> >  - allowing "<?php" only at to top of script
>> >  - not allowing "?>" anywhere (We may allow at the end possibly)
>> >
>> > Those who do not understand my point.
>> > Please search by "PHP LFI" or "PHP file inclusion" for real life
>> > security issues.
>>
>> I do understand what you try to achieve, from all point of view.
>> However I strongly disagree with this as a security improvement. I see
>> this more as yet another attempt to replace what should be done at the
>> OS level.
>
>
> This is "PHP inclusion" search result.
>
> http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=PHP&filter_exploit_text=inclusion&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
>
> While I understand your opinion and the methodology is good practice indeed,
> but I
> cannot ignore the fact that PHP is *MUCH* more vulnerable than other
> languages. Other
> languages do not have many security issue like PHP. The reason is simple.
>
> PHP enables embedding mode always for script inclusion.
>
> Solution is simple also.
>
> Provide non embedding mode script inclusion.
>
> PHP is made for web and web is priority target of attackers.
> PHP is better to be safer than now, the same level as other languages at
> least.
>
> I hope there will be a consensus to make PHP safer as other languages.

PHP is just as safe than the other languages. PHP applicatons maybe
less, maybe more. I tend to see the amount of attacks as a proof of
success of a tool instead of a proof of the tool being unsafe (not
worth attacking 0.01% of the market when you can attack 75%).

> Your proposal requires admins to do the job. It's better to have developer
> option.
>
> Do any of you have other preferred option for developers?

We do have one, it is called open_basedir, which I wanted to remove as
well but we agreed that it has its usefulness. One of them being
exactly to avoid the inclusion (and display) of critical information.
It indeed does not prevent one to include and display some text data
containing passwords or the likes when they are in the open_basedir
list but still.

And again, if one app allows unvalidated include/require (as in your
example), it will most likely do fopen and co as well and get data
displayed one way or another. Using yet another construct will again
give a false sense of security, solving a real problem using a bandaid
tape.

Cheers,
-- 
Pierre

@pierrejoye | http://www.libgd.org