Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:82035 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19874 invoked from network); 6 Feb 2015 10:12:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Feb 2015 10:12:17 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.41 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.41 mail-qa0-f41.google.com Received: from [209.85.216.41] ([209.85.216.41:51746] helo=mail-qa0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 97/AE-45146-08394D45 for ; Fri, 06 Feb 2015 05:12:16 -0500 Received: by mail-qa0-f41.google.com with SMTP id bm13so10055404qab.0 for ; Fri, 06 Feb 2015 02:12:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=YrqAoSbKgilL00fBglw8z6OsWuu3lEdQKXgVPIDl/uM=; b=R3eHGweFWZESHJASFxUExnthiS0skpFgDVO+xhXI6hR+L5N+CHWV3pJ43hacHxviUF zHX1d2Kz6XO3DQQGY1x97AnlDUvez6Eyaj5pTYpdFHWASfpIJ1L8Xaj25tP57IPg1/a8 u0R4kZi8WB3n89aSDz6Tf/cM8fuIgE7Jl/5X7LbmRKhASXnqL6S/zhtULSIk2e4E9PlV 3YEZwm4p954EKE0syJWTaIW7GJB6yaPOWCSbrgQCEhzsE9N9h/UgUMglJUANGj9zog+S fD5oQccrD+UZ/cI/9zsUTGRf9OTmtFAZizPWh3tBPwdRELE4ub9sU1+5c5pUPGzhCKWN WR1A== X-Received: by 10.224.28.198 with SMTP id n6mr6412560qac.15.1423217533850; Fri, 06 Feb 2015 02:12:13 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.28.72 with HTTP; Fri, 6 Feb 2015 02:11:33 -0800 (PST) In-Reply-To: <54D47B97.2080204@lsces.co.uk> References: <54D47B97.2080204@lsces.co.uk> Date: Fri, 6 Feb 2015 19:11:33 +0900 X-Google-Sender-Auth: YDRgbOihkiZANKSpJksUTvfvuFc Message-ID: To: Lester Caine Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c2cc9a8b18cd050e68a7fc Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once() From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c2cc9a8b18cd050e68a7fc Content-Type: text/plain; charset=UTF-8 Hi Lester and all, On Fri, Feb 6, 2015 at 5:30 PM, Lester Caine wrote: > On 06/02/15 05:01, Yasuo Ohgaki wrote: > >> But it is the key point. It is not PHP role to do it. PHP is not > >> > alone. It is a server configuration job. But I have said that already > >> > many times, we got our points :) > > > I understand your point. > > > > We need both OS and PHP feature for perfection. Both of them are > required. > > > > Current PHP just reads & executes all accessible files by include. > > I think you understand my point, too :) > > The question is essentially CAN one prevent PHP on it's own from running > things it shouldn't. In order to prevent people who do not understand > the security risks from 'making a mistake'. The answer is probably only > yes for a distribution that only comes from PHP. Other distributions are > not following guidelines now so expecting them to do in the future is > questionable? This is more about education of the whole infrastructure > but I don't see the point of yet another load mechanism? I thought we > had introduced all the necessary restrictions on include and require > already? From a 'nannying' point of view I would have thought it was > that hole which needed plugging since the people you are trying to > protect will not use a new mechanism anyway? I hope that I have my own > installations configured such that one can't upload material on-line > that can be accessed but having to ensure third party libraries are > using 'script' rather than 'include/require' seems a little problematic ... Apparently, we don't provide key feature to eliminate script/file inclusion attack that is unique to PHP. I think the best way to go is to make 'require()' script only. We need config to specify "script directory" to control script only inclusion. PHP must need to know if a file allowed to be executed. e.g. require('../../file.php') needs to know if it's safe to execute or not. It must be fast. I'm thinking to cache all directory inode number specified by "script directory" config at system initialization. ; All directories under these are script. Empty == disabled. script_path="/var/www/lib;/var/www/html/" ; All directory under these ares files cannot be executed as script ; We don't need "engine=Off" for these directories any more. upload_path="/var/www/html/upload;/var/www/html/user_images" I'm not sure strtmp() or inode cache is faster. I'll take benchmark to see if this is acceptable. Please note that directory path configs are needed because of customizable Zend script loader. i.e. PHP script or not cannot be decide by file contents. I'll rewrite whole RFC later. Comments are appreciated. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c2cc9a8b18cd050e68a7fc--