Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:82439 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52363 invoked from network); 11 Feb 2015 07:32:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Feb 2015 07:32:11 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.176 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.176 mail-pd0-f176.google.com Received: from [209.85.192.176] ([209.85.192.176:44220] helo=mail-pd0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 19/AA-33902-A750BD45 for ; Wed, 11 Feb 2015 02:32:10 -0500 Received: by pdbft15 with SMTP id ft15so2646939pdb.11 for ; Tue, 10 Feb 2015 23:32:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=8i48qv28SPUu9RrEK3WAJ5FZwymDI1F6pRfCE99N1SQ=; b=ZOrmGlDWHy7hIftXNNq8pHMKyFFCyrHp5bdOoGm08LwmJAODvKmipBEXPnb7mOGaHr pCWDJCS55BDQOFuGNbreUya8gePTx9qt60aiUtiLQgIp3MCZcP56yO71Ic0fwjlcQCTb vnuAdUCnY1/ngmttZCcwDRzlJFq3yrgxdYCFEvID/LDa28a77i7fBhw+lCFcHTKFhC5z o61nfIl6mPzLrbXzbPpYxv/NsBAmLnMH6XycHTlgtUc3LX6GUORkpLccBXJK9xAsgZFj kNrqITApgk2OE9cIYzywu3cqvB0TYpGLsAJjQJ31btqKZOyd9ezNt0Vx23ZzFFtdn++s Sk6w== X-Received: by 10.68.68.171 with SMTP id x11mr19912759pbt.60.1423639927553; Tue, 10 Feb 2015 23:32:07 -0800 (PST) Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by mx.google.com with ESMTPSA id n3sm21349120pdf.95.2015.02.10.23.32.06 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Feb 2015 23:32:06 -0800 (PST) Message-ID: <54DB0575.8020506@gmail.com> Date: Tue, 10 Feb 2015 23:32:05 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Yasuo Ohgaki , "internals@lists.php.net" References: In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Script only includes From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Some of you are tired with this topic, but please take a look the RFC > > [RFC] Script only includes - this is 3rd version. > https://wiki.php.net/rfc/script_only_include > > Please let me know what you like or dislike. I think there are several issues with this RFC: 1. It does not protect against all the problems it purports to protect. I.e. if you want to protect against local PHP code accessing evil uploaded files, local PHP code can also do echo file_get_contents('/etc/paswd') and still have a problem (actually, very common LFI issue). Even if the application only allows to require random file, it may be possible to inject data via other means - such as data stream, URL, temp files, session files, etc. Upload is not the only way inputs can be controlled. 2. Legitimate files can include