Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82166
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37999 invoked from network); 8 Feb 2015 20:02:14 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Feb 2015 20:02:14 -0000
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.54 mail-wg0-f54.google.com  
Received: from [74.125.82.54] ([74.125.82.54:39010] helo=mail-wg0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D9/12-26926-4C0C7D45 for <internals@lists.php.net>; Sun, 08 Feb 2015 15:02:13 -0500
Received: by mail-wg0-f54.google.com with SMTP id l18so7091736wgh.13
        for <internals@lists.php.net>; Sun, 08 Feb 2015 12:02:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type:content-transfer-encoding;
        bh=Gu8FsmvWOZ5OTLwL1ItjdGfocs3TLIlfIamzRcLAIGk=;
        b=OWFRsh7rfeSbGNAmgjzxIWKyWdml5+DtL7Zet02x4aoLDZ1+NarI8/aIUx2wkO9xEc
         4RQ1tv7GYTITNKGZGofpbA3jpEh4kCXMtUZhtjopNZ44O5742MyKKOdZGc/3RLARG4H1
         P+MBw22exEg+ncxXeVYh7ivnMIkN4AShMly2jS3sHxOO40pjdiZKm5Dr/9+BN0IJBpmN
         6MPq78YKD7B2qVWs+1hNvf1t0f8Re8t8dhJQvGa5FEXSlppEjtn9VyfEq7EX4Zc57lGu
         5KKyaPly20/fIA6lgRE97jy03NADKKiBmidF6/05v3S9k21Nov6uK4Yl44Q/VJvSpK2z
         7/6w==
X-Received: by 10.180.105.10 with SMTP id gi10mr27594293wib.24.1423425728186;
        Sun, 08 Feb 2015 12:02:08 -0800 (PST)
Received: from [192.168.0.2] (cpc68956-brig15-2-0-cust215.3-3.cable.virginm.net. [82.6.24.216])
        by mx.google.com with ESMTPSA id z13sm11335253wiv.8.2015.02.08.12.02.07
        for <internals@lists.php.net>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 08 Feb 2015 12:02:07 -0800 (PST)
Message-ID: <54D7C0BF.7000107@gmail.com>
Date: Sun, 08 Feb 2015 20:02:07 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAGa2bXYzs=5FVF_OXFj+o=S1uq_7fhfMH7Ent9FHfd-ziV_W5Q@mail.gmail.com> <CAN=kQJcmBQZr4nabAUoiASymb8eJxZV6d+RODcPwoNUf3_VG9A@mail.gmail.com> <CAGa2bXa8pEaChqVt1LuJUXMq92kiGtXQG0z9gubRoOpHNu-4hw@mail.gmail.com> <CAN=kQJfi_stYqQEnvwcVYu1TmdT3fozewQZvKchWJi56Y3JGkA@mail.gmail.com> <CAGa2bXYpEaM5uSWRX24jYG1zjeZ=JA8nvY19D6GABRWA-_FvqQ@mail.gmail.com>
In-Reply-To: <CAGa2bXYpEaM5uSWRX24jYG1zjeZ=JA8nvY19D6GABRWA-_FvqQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Introduce scrpt_path
From: rowan.collins@gmail.com (Rowan Collins)

On 08/02/2015 09:03, Yasuo Ohgaki wrote:
>> If this was a PHP_INI_PERDIR setting, then I wouldn't really mind as much.
>> >
>> >But as PHP_INI_USER, I don't like it at all.
> How about allow to set the ini only once during execution?

Like open_baedir [1], it should probably be possible to *tighten* the 
settings, but never *loosen* them. So, you could remove items from 
script_path, or alter them to be more specific; or you could add them to 
upload_path, or alter them to be more general.

The relationship to open_basedir should perhaps be more explicit - for 
instance, your example of require('/etc/passwd') is better handled by 
open_basedir, which also prevents readfile('/etc/passwd').

A file path should ideally be evaluated against 3 tests:

A) should this file be accessible, and readable? (controllable through 
open_basedir; should be a pre-requisite for B and C)
B) should this file be writable? (currently left to OS level protection)
C) should this file be executable as PHP code? (should apply through 
include()/require(), and also if passed as a direct argument to the PHP 
SAPI; the latter part is currently left to the web server configuration, 
while the first part cannot be controlled at all)

Even with all of these, there are still vulnerabilities, just ones which 
require multiple steps, e.g.:
- for any file in (A), read its contents into memory, and trick the 
application into executing it from a string
- find an intersection between (B) and (C), such as a compiled template 
cache, and inject a string from user input, or a file in (A), which will 
then be executed

[1]: http://php.net/manual/en/ini.core.php#ini.open-basedir

-- 
Rowan Collins
[IMSoP]