Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:81999
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35839 invoked from network); 6 Feb 2015 02:13:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Feb 2015 02:13:17 -0000
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.49 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.192.49 mail-qg0-f49.google.com  
Received: from [209.85.192.49] ([209.85.192.49:34129] helo=mail-qg0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F3/FA-17766-C3324D45 for <internals@lists.php.net>; Thu, 05 Feb 2015 21:13:16 -0500
Received: by mail-qg0-f49.google.com with SMTP id e89so9236807qgf.8
        for <internals@lists.php.net>; Thu, 05 Feb 2015 18:13:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Rjpf4i6zRgYjNvJMVTrM8A2iCxEXXtC+sLV5kZbnjpM=;
        b=iCdhZGMPK8L8/ih99ARAZGkkIpPsxxUBaGW6ZLqpj5FcgaoqaaibVXEqGbszK3gwny
         DvBWb4mtZkoMWOTgcNo28Wu7MEtx6B7P+VcRZyjOqxiTx7Q2RKDFPw/UALzmPHK30cww
         sSimCSVrxK/jwU5wm4vHcVz/8YTdJe+XyWgBCUaE0qsM+sho/whEtX9TFNQ1MMHjNfM7
         4GFBGWMzmyO+9EtVdEMTFI8VKruqXQzRgQpHY2LDWWM1ZnWZigtNSbGNHWxn3knk9JIY
         ZdFt/FGWXeZJaKKIHC6GzdIJJKI9aCoiwCrfVtJSglWpuHD6MhbQLiaEVRc7OI0MhkXM
         u3/Q==
MIME-Version: 1.0
X-Received: by 10.140.100.226 with SMTP id s89mr2944834qge.96.1423188793196;
 Thu, 05 Feb 2015 18:13:13 -0800 (PST)
Received: by 10.96.3.168 with HTTP; Thu, 5 Feb 2015 18:13:13 -0800 (PST)
Received: by 10.96.3.168 with HTTP; Thu, 5 Feb 2015 18:13:13 -0800 (PST)
In-Reply-To: <CAGa2bXbcrS339yoyg4q3GakaGHSuc5Ga_Rd4A3E7=50xKRhfrw@mail.gmail.com>
References: <CAGa2bXZMxxXBOQ=NdbNtzgrjjvdomV8zOr+Z4zASZU4+JHmqyw@mail.gmail.com>
	<CAGa2bXbf=hzbZ9eH6JVnMM0+6OeTQvAoqBe44g8qxFAAr9u9Kw@mail.gmail.com>
	<CAG1choq8S_EkdS22SFO+443u_LYVB-Z-b2ra6RK8sDhrJKc-VQ@mail.gmail.com>
	<CAGa2bXbJyK=2GCmGDw7PAh0ib=EL9GO7FFGf0X6VyAWqfR8EAA@mail.gmail.com>
	<CADajX4CHHdSpUfLfjhwrtdzmJfg9di4FpfeVEzBG4P7K7B+e0w@mail.gmail.com>
	<CAPwsocGh_-SYiWceEg=5go8G1bUs+CWUBb9uv_2Oh7AZhBxd8A@mail.gmail.com>
	<CAGa2bXY36wVN50sQ=MTYi+X6664+NYqMhsYFVZ9jeFZ1DXBg9Q@mail.gmail.com>
	<CAEZPtU5=vJG6=cguZfcT6RBriu8GT9vfW=Lqva8-XfEnXzZ23Q@mail.gmail.com>
	<CAGa2bXarZ4A9+HPXniAvBxEtE9KEJTYHHW8aYHCkBsNN5dRNUw@mail.gmail.com>
	<CAEZPtU4ThQHcH1hsgYaKwd2yOKAGP7obmcDH15qbDVr6CdgzSQ@mail.gmail.com>
	<CAGa2bXbWZJ--nkPaskRfCB91wqXSfY7LCwTefVa-ERxaY2r8Nw@mail.gmail.com>
	<CAEZPtU6mhc4asyeiab8RmFwBcUT873eXB1EPoePswQ0Xw0392g@mail.gmail.com>
	<CAGa2bXbcrS339yoyg4q3GakaGHSuc5Ga_Rd4A3E7=50xKRhfrw@mail.gmail.com>
Date: Fri, 6 Feb 2015 09:13:13 +0700
Message-ID: <CAEZPtU7Ywfha2BLXR+rrOc5ZdV4rEuxyAFvNddngR8jyEPH=Aw@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Adam Harvey <aharvey@php.net>, PHP internals <internals@lists.php.net>, Leigh <leight@gmail.com>, 
	reeze <reeze@php.net>
Content-Type: multipart/alternative; boundary=001a11c16f087786f7050e61f67e
Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once()
From: pierre.php@gmail.com (Pierre Joye)

--001a11c16f087786f7050e61f67e
Content-Type: text/plain; charset=UTF-8

On Feb 6, 2015 9:08 AM, "Yasuo Ohgaki" <yohgaki@ohgaki.net> wrote:
>
> Hi Pierre,
>
> On Fri, Feb 6, 2015 at 10:39 AM, Pierre Joye <pierre.php@gmail.com> wrote:
>>
>> I do not put high value in this ISO ;-)
>
>
> I am :)  Almost all of my clients are ISMS or similar certified.

Marketing ;)

>> However, back to this exact feature. I am not convinced it is the
>> right way, there are many cases required more than just checking valid
>> code (<?php ...), like bash bang lines, phar or other script
>> archives-like solutions. And even with this solution, a compromised
>> server (via a web app or other) could still do whatever they want with
>> php scripts if the web server is not configured correctly.
>
>
> With this proposal, <?php is allowed only at the top of a file.

So phar won't work with require_script? If that's the case then it does
look good to me.

> For example, one of the easiest way to take over servers is embed
> script into session data files. This is prevented effectively.
>
> Users who allows phar/etc file uploads, they may have encryption or
> compression as mitigation.

What does it have to do with upload?

Uploads are and should not be in a folder where php can be executed. This
is a basic configuration issue on almost all web servers.

>This mitigation works well, but we cannot
> enforce all users to adopt. It requires additional code/CPU resource...
> It may ruin usability also. e.g. Files compressed by lzo or any other
> fancy algorithms are not easily accessed.

I won't say it is good or bad but phar, to take one example, is widely used.

> I suggest users to configure their OS to protect all kinds of file
reading/writing
> attacks. I agree 100%.
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>

--001a11c16f087786f7050e61f67e--