Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82009
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55022 invoked from network); 6 Feb 2015 04:16:33 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Feb 2015 04:16:33 -0000
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.50 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.216.50 mail-qa0-f50.google.com  
Received: from [209.85.216.50] ([209.85.216.50:53697] helo=mail-qa0-f50.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 4E/22-45146-02044D45 for <internals@lists.php.net>; Thu, 05 Feb 2015 23:16:32 -0500
Received: by mail-qa0-f50.google.com with SMTP id k15so9182473qaq.9
        for <internals@lists.php.net>; Thu, 05 Feb 2015 20:16:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=HU52LCoF7k2F6TYfw56qnHAi1Iz5iENB8CAfinJ4GJo=;
        b=hu5yjXSx9Azbd1gb2j+g/lb7K/35CLZR4cflELVtnxjZZfv8omUCARRz40VUHnycIF
         iRG/IDJs/wRTBSq7kCproMlSMepNFE9OVdK68XnohkvydtMggxi1GXE0ygNYhRdeCJCM
         Km98DomCTpqK83TrZD8f0RkA/Pe0Kk7Op1ZSOZ+AQHiU8ttwRJlj6/DoCEHFm5R88iiz
         aaGnPMxC7T9mE9W2sgsrMgSJgP7y+QRtnLDPexFvAORZY6XrnlIR6d39iig9ct/4aZ+f
         qRL0Z+tdKHCR+5HnRqR+HNHm551KXHltW8+saGMRCYdsZm+b/jRRqTeTBRzY+et5aoL9
         Ofxw==
MIME-Version: 1.0
X-Received: by 10.140.95.179 with SMTP id i48mr3885164qge.4.1423196189092;
 Thu, 05 Feb 2015 20:16:29 -0800 (PST)
Received: by 10.96.3.168 with HTTP; Thu, 5 Feb 2015 20:16:29 -0800 (PST)
In-Reply-To: <CAGa2bXbfrAw6P5=cFA3bWUZ3rxm9aquCODB5+e=ZR6NUzY+y_A@mail.gmail.com>
References: <CAGa2bXZMxxXBOQ=NdbNtzgrjjvdomV8zOr+Z4zASZU4+JHmqyw@mail.gmail.com>
	<CAGa2bXbf=hzbZ9eH6JVnMM0+6OeTQvAoqBe44g8qxFAAr9u9Kw@mail.gmail.com>
	<CAG1choq8S_EkdS22SFO+443u_LYVB-Z-b2ra6RK8sDhrJKc-VQ@mail.gmail.com>
	<CAGa2bXbJyK=2GCmGDw7PAh0ib=EL9GO7FFGf0X6VyAWqfR8EAA@mail.gmail.com>
	<CADajX4CHHdSpUfLfjhwrtdzmJfg9di4FpfeVEzBG4P7K7B+e0w@mail.gmail.com>
	<CAPwsocGh_-SYiWceEg=5go8G1bUs+CWUBb9uv_2Oh7AZhBxd8A@mail.gmail.com>
	<CAGa2bXY36wVN50sQ=MTYi+X6664+NYqMhsYFVZ9jeFZ1DXBg9Q@mail.gmail.com>
	<CAEZPtU5=vJG6=cguZfcT6RBriu8GT9vfW=Lqva8-XfEnXzZ23Q@mail.gmail.com>
	<CAGa2bXarZ4A9+HPXniAvBxEtE9KEJTYHHW8aYHCkBsNN5dRNUw@mail.gmail.com>
	<CAEZPtU4ThQHcH1hsgYaKwd2yOKAGP7obmcDH15qbDVr6CdgzSQ@mail.gmail.com>
	<CAGa2bXbWZJ--nkPaskRfCB91wqXSfY7LCwTefVa-ERxaY2r8Nw@mail.gmail.com>
	<CAEZPtU6mhc4asyeiab8RmFwBcUT873eXB1EPoePswQ0Xw0392g@mail.gmail.com>
	<CAGa2bXbcrS339yoyg4q3GakaGHSuc5Ga_Rd4A3E7=50xKRhfrw@mail.gmail.com>
	<CAEZPtU7Ywfha2BLXR+rrOc5ZdV4rEuxyAFvNddngR8jyEPH=Aw@mail.gmail.com>
	<CAGa2bXbygxH8=Con3_OckFW4V+WmD97axAZ+VOo2rnrY8gz12g@mail.gmail.com>
	<CAEZPtU7vuygaLPGdE-T8Ep_-GTg_Vzsggb1BRgjSHhU09n7z+w@mail.gmail.com>
	<CAGa2bXbfrAw6P5=cFA3bWUZ3rxm9aquCODB5+e=ZR6NUzY+y_A@mail.gmail.com>
Date: Fri, 6 Feb 2015 11:16:29 +0700
Message-ID: <CAEZPtU5hEzyNZkNKcmPY4pfrL1Nc-Dzsu3-ogXtuhimCOgsj5Q@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Adam Harvey <aharvey@php.net>, PHP internals <internals@lists.php.net>, Leigh <leight@gmail.com>, 
	reeze <reeze@php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once()
From: pierre.php@gmail.com (Pierre Joye)

On Fri, Feb 6, 2015 at 11:08 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

>
> On Fri, Feb 6, 2015 at 12:40 PM, Pierre Joye <pierre.php@gmail.com> wrote:
>>
>> > Even if uploaded files are stored under non web root dir, attackers can
>> > use
>> > path
>> > traversal or even full path with bad code. As long as PHP can access,
>> > attacker
>> > can access to files for inclusion attacks. Compression/encryption
>> > prevents
>> > attack files executing via script()/require(). Does this answer to you?
>>
>> Not really. One will have to use exec and call php and the desired
>> file as a well configured server won't allow exec of php in the upload
>> or tmp dir, via the web server. It does not mean they are outside a
>> web doc root, only that no php (or other) will ever be executed from
>> there.
>
>
> With SElinux, we can restrict access. However, PHP should be able to
> read/write
> uploaded files. PHP just read and execute them with include.

Again, I am talking about executing files. You can exclude a file,
path, folder for being invoked with a handler or similar things on a
web server. It has nothing to do with the PHP ability to access this
file as normal data. That won't prevent a file_get_contents+eval but
you get the idea.

> Is windows possible to prevent PHP to load script and execute? While
> allowing write/read access?

Yes and no. It is a web server role. Linux allows access restrictions
too, windows only provides a much more fine grained ACL. But again, it
is not what I am referring to.


> I have similar idea for PHP to have data only dirs.

We have that already, not for php, but for web servers. This is their
job to deal with that.

>>
>>
>> Also PHP is one part of the big picture, so I will simply summarize it
>> as "as long as one can access" instead of "as long as PHP can access".
>> That says all we need to know about emulating (badly anyway) OS
>> security features in PHP.
>>
>> > I realized that I didn't think of byte compiler format. I have to
>> > research
>> > it.
>> > IIRC, Zend allows to have custom script loader.
>> > Could anyone give some pointers to look around? or give some ideas?
>>
>> PHK and Phar f.e.
>
>
> Thank you. I'll check PHK.
> I guess I should check Zend product, too.
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net



-- 
Pierre

@pierrejoye | http://www.libgd.org