Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82404
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 87659 invoked from network); 11 Feb 2015 00:30:34 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Feb 2015 00:30:34 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.180 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.180 mail-qc0-f180.google.com  
Received: from [209.85.216.180] ([209.85.216.180:48021] helo=mail-qc0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7D/C9-32490-9A2AAD45 for <internals@lists.php.net>; Tue, 10 Feb 2015 19:30:33 -0500
Received: by mail-qc0-f180.google.com with SMTP id s11so294804qcv.11
        for <internals@lists.php.net>; Tue, 10 Feb 2015 16:30:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=7vINATQ7lKwHUNtBOB7kli2YpdUJs3Qe+DC7Q95/bjM=;
        b=0BFSfFTXl9iB4WYjQhKTQ2DIyYjX+SxW5te/iizrlaF6YOoHGDStkuWXWVKUp3wUG5
         678DVvFljDLSFo5dZWa/Yr0KRuoC0pEOsbt5dogsb0fHSgMd+1f+fx0QLGV/5XM3jgMP
         wKDHjAcsAg8Bsz88CeTNOBvShYbuJoiPmMMwrYA055yzEdpltLnWJEK9oLaxv/tybLXF
         K2MWhO6aNpHNDVq6+sR+DTgOxFfHnyvSa5aykrnXORkvv1mJyv2wwlWEpZUbFequitWH
         ixGbtrnxs/WdE3UoeWDcQ7Or7Ft4zm0BdbxmC5J9hcRQ5mLP3YfkD25sJsaaQS3B84BS
         +ERg==
X-Received: by 10.229.204.135 with SMTP id fm7mr30026376qcb.2.1423614630774;
 Tue, 10 Feb 2015 16:30:30 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.250.195 with HTTP; Tue, 10 Feb 2015 16:29:50 -0800 (PST)
In-Reply-To: <CAB6YZuxmMBQbVKYFcpH=2Yb0cOBoRSsZLritfV1-VkHrBm=Nbw@mail.gmail.com>
References: <CAGa2bXZsANJz_RvsBvC9yBhac+ukHYUngA=GjLOgcqTTPbpGhg@mail.gmail.com>
 <CAB6YZuxmMBQbVKYFcpH=2Yb0cOBoRSsZLritfV1-VkHrBm=Nbw@mail.gmail.com>
Date: Wed, 11 Feb 2015 09:29:50 +0900
X-Google-Sender-Auth: DLpOm8sLSXBMcdGOZni0HeOgPfk
Message-ID: <CAGa2bXbff7yQ_X5-9FVXNJzgOqVOpiO6h-OYFx=RMP5-f6X1QA@mail.gmail.com>
To: =?UTF-8?Q?Pavel_Kou=C5=99il?= <pajousek@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c1fd4c5d4bad050ec51c3f
Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Script only includes
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c1fd4c5d4bad050ec51c3f
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Pavel,

On Tue, Feb 10, 2015 at 7:06 PM, Pavel Kou=C5=99il <pajousek@gmail.com> wro=
te:

> IMHO the real solution to this problem is to educate the programmers
> how to write safer applications, not by ini settings.
>

We have been tried to educate users already and introduced some
mitigations e.g. allow_url_include, open_basedir.

However, enough time is passed to prove that wasn't enough, isn't it?

PHP (many and these are _only_ few of them in the wild)
http://www.exploit-db.com/search/?action=3Dsearch&filter_page=3D1&filter_de=
scription=3DPHP&filter_author=3D&filter_platform=3D0&filter_type=3D0&filter=
_lang_id=3D0&filter_exploit_text=3Dinclusion&filter_port=3D0&filter_osvdb=
=3D&filter_cve=3D

PERL (0 result)
http://www.exploit-db.com/search/?action=3Dsearch&filter_page=3D1&filter_de=
scription=3D&filter_exploit_text=3DPERL&filter_author=3Dinclusion&filter_pl=
atform=3D0&filter_type=3D0&filter_lang_id=3D0&filter_port=3D&filter_osvdb=
=3D&filter_cve=3D

Rails (0 result)
http://www.exploit-db.com/search/?action=3Dsearch&filter_page=3D1&filter_de=
scription=3DRails&filter_exploit_text=3Dinclusion&filter_author=3D&filter_p=
latform=3D0&filter_type=3D0&filter_lang_id=3D0&filter_port=3D&filter_osvdb=
=3D&filter_cve=3D

Python (0 result)
http://www.exploit-db.com/search/?action=3Dsearch&filter_page=3D1&filter_de=
scription=3DPython&filter_exploit_text=3Dinclusion&filter_author=3D&filter_=
platform=3D0&filter_type=3D0&filter_lang_id=3D0&filter_port=3D&filter_osvdb=
=3D&filter_cve=3D

JSP (1 result - This is famous)
http://www.exploit-db.com/search/?action=3Dsearch&filter_page=3D1&filter_de=
scription=3DJSP&filter_exploit_text=3Dinclusion&filter_author=3D&filter_pla=
tform=3D0&filter_type=3D0&filter_lang_id=3D0&filter_port=3D&filter_osvdb=3D=
&filter_cve=3D

The picture is clear.

I value education as one of the most important security measure indeed.

However, education is not perfect. If there is effective counter measure,
it
is better to be adopted. We can write web apps by PHP, not only because
it's faster to write, but easier to write secure code.

We removed "script embedding" from regex functions, why not include?
My new proposal is simple and does not require performance penalty.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c1fd4c5d4bad050ec51c3f--