Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82001
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 41585 invoked from network); 6 Feb 2015 03:34:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Feb 2015 03:34:15 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.51 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.192.51 mail-qg0-f51.google.com  
Received: from [209.85.192.51] ([209.85.192.51:59374] helo=mail-qg0-f51.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 06/CB-17766-53634D45 for <internals@lists.php.net>; Thu, 05 Feb 2015 22:34:14 -0500
Received: by mail-qg0-f51.google.com with SMTP id z60so5510678qgd.10
        for <internals@lists.php.net>; Thu, 05 Feb 2015 19:34:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=2hnNlLl7Qy+/fV/D+rHvm6h4SrMAjVj0Eq8Ml+/DIQk=;
        b=X0MntkJtE73xHPVEkennZqfXuSyQwgOrRzZulPAvYnK7vbF8DttbKvA+RRqzgXjNNy
         ZXWfZKeR9AA3YCiwOgpbKxsZECxjn1RAxiNgJyTNhqA3AdvHmjs4bRjrE+ZZpFLueoNW
         FRId3EKurliKluMxiObKb8rmnyEBcBIfR9pstcYIEl1iWh8I9iQ0PXzyUQ3p63yDpdi9
         D2MQa72Hz8Z5sTkhCTCxX2lW1AW8LyfjaTYk5Yhikgzo0J2EczqtLcJQr1DMYcBE0Nwb
         8zp3IcKn9KdY5pCM/MT+1xNRjlX8LwX6hZ6EEYKIJQf3TGH9lG/Dn7jOvmJyhWK5SxDg
         w1zg==
X-Received: by 10.140.90.112 with SMTP id w103mr3476494qgd.65.1423193649896;
 Thu, 05 Feb 2015 19:34:09 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.28.72 with HTTP; Thu, 5 Feb 2015 19:33:29 -0800 (PST)
In-Reply-To: <CAEZPtU7Ywfha2BLXR+rrOc5ZdV4rEuxyAFvNddngR8jyEPH=Aw@mail.gmail.com>
References: <CAGa2bXZMxxXBOQ=NdbNtzgrjjvdomV8zOr+Z4zASZU4+JHmqyw@mail.gmail.com>
 <CAGa2bXbf=hzbZ9eH6JVnMM0+6OeTQvAoqBe44g8qxFAAr9u9Kw@mail.gmail.com>
 <CAG1choq8S_EkdS22SFO+443u_LYVB-Z-b2ra6RK8sDhrJKc-VQ@mail.gmail.com>
 <CAGa2bXbJyK=2GCmGDw7PAh0ib=EL9GO7FFGf0X6VyAWqfR8EAA@mail.gmail.com>
 <CADajX4CHHdSpUfLfjhwrtdzmJfg9di4FpfeVEzBG4P7K7B+e0w@mail.gmail.com>
 <CAPwsocGh_-SYiWceEg=5go8G1bUs+CWUBb9uv_2Oh7AZhBxd8A@mail.gmail.com>
 <CAGa2bXY36wVN50sQ=MTYi+X6664+NYqMhsYFVZ9jeFZ1DXBg9Q@mail.gmail.com>
 <CAEZPtU5=vJG6=cguZfcT6RBriu8GT9vfW=Lqva8-XfEnXzZ23Q@mail.gmail.com>
 <CAGa2bXarZ4A9+HPXniAvBxEtE9KEJTYHHW8aYHCkBsNN5dRNUw@mail.gmail.com>
 <CAEZPtU4ThQHcH1hsgYaKwd2yOKAGP7obmcDH15qbDVr6CdgzSQ@mail.gmail.com>
 <CAGa2bXbWZJ--nkPaskRfCB91wqXSfY7LCwTefVa-ERxaY2r8Nw@mail.gmail.com>
 <CAEZPtU6mhc4asyeiab8RmFwBcUT873eXB1EPoePswQ0Xw0392g@mail.gmail.com>
 <CAGa2bXbcrS339yoyg4q3GakaGHSuc5Ga_Rd4A3E7=50xKRhfrw@mail.gmail.com> <CAEZPtU7Ywfha2BLXR+rrOc5ZdV4rEuxyAFvNddngR8jyEPH=Aw@mail.gmail.com>
Date: Fri, 6 Feb 2015 12:33:29 +0900
X-Google-Sender-Auth: X-SGjudZKYOsqpb-5FAkg4BCGVw
Message-ID: <CAGa2bXbygxH8=Con3_OckFW4V+WmD97axAZ+VOo2rnrY8gz12g@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: Adam Harvey <aharvey@php.net>, PHP internals <internals@lists.php.net>, Leigh <leight@gmail.com>, 
	reeze <reeze@php.net>
Content-Type: multipart/alternative; boundary=001a11c11a98f2e57a050e63171d
Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c11a98f2e57a050e63171d
Content-Type: text/plain; charset=UTF-8

Hi Pierre,

On Fri, Feb 6, 2015 at 11:13 AM, Pierre Joye <pierre.php@gmail.com> wrote:

> > I am :)  Almost all of my clients are ISMS or similar certified.
>
> Marketing ;)
>
> >> However, back to this exact feature. I am not convinced it is the
> >> right way, there are many cases required more than just checking valid
> >> code (<?php ...), like bash bang lines, phar or other script
> >> archives-like solutions. And even with this solution, a compromised
> >> server (via a web app or other) could still do whatever they want with
> >> php scripts if the web server is not configured correctly.
> >
> >
> > With this proposal, <?php is allowed only at the top of a file.
>
> So phar won't work with require_script? If that's the case then it does
> look good to me.
>
Good point! I'll add this to the RFC.
I'm not too familiar to phar format.

Uncompressed phar has <?php at the top. I think .phar should be treated as
.php.
Compressed phar can be syntax error. I need to consider more including byte
compilers.

> For example, one of the easiest way to take over servers is embed
> > script into session data files. This is prevented effectively.
> >
> > Users who allows phar/etc file uploads, they may have encryption or
> > compression as mitigation.
>
> What does it have to do with upload?
>
> Uploads are and should not be in a folder where php can be executed. This
> is a basic configuration issue on almost all web servers.
>
I agree that files are better/should be located other than web root.
Many apps only checks extension stores anything under web root.

Even if uploaded files are stored under non web root dir, attackers can use
path
traversal or even full path with bad code. As long as PHP can access,
attacker
can access to files for inclusion attacks. Compression/encryption prevents
attack files executing via script()/require(). Does this answer to you?

I realized that I didn't think of byte compiler format. I have to research
it.
IIRC, Zend allows to have custom script loader.
Could anyone give some pointers to look around? or give some ideas?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c11a98f2e57a050e63171d--