Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82484
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 46952 invoked from network); 11 Feb 2015 17:29:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Feb 2015 17:29:02 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.54 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.218.54 mail-oi0-f54.google.com  
Received: from [209.85.218.54] ([209.85.218.54:49044] helo=mail-oi0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AF/70-41131-C519BD45 for <internals@lists.php.net>; Wed, 11 Feb 2015 12:29:01 -0500
Received: by mail-oi0-f54.google.com with SMTP id v63so29873286oia.13
        for <internals@lists.php.net>; Wed, 11 Feb 2015 09:28:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=dWqHR2Ddzmo9JSBb2i1ZgLAwW7xs6hnhqN9CLvdZXZ0=;
        b=NjtUEa28YczK1UBIIhRVHQixv+LMHxfMd45ZvqdREud2vdi11UU/QLsSCVjXA96WxU
         R4Q6oYVtlhHJjhdrL1slcm/CK1bgNhDlD4qRIttUdcpuMyNlGrVOpA4tGRHyQFMtLn1u
         03gOyRubBZYRagAc7qchzT+ND6ZDvwByBlep/uk2cWi3Qj1cESLzcarThQEku0D0me9e
         66yrwegnrT8wKRsSJd35GqlOLUhEtT2JJV4Xk2CboFpYAk405beFR0ItEtzP7lnEnmrG
         uBi0QYfP4iDlj0EJ8FkgCD4nSzwr6viL70UYZliSpo8coiKYcTk+ER0wvW9k+gI9c5uH
         yiLg==
X-Received: by 10.202.49.138 with SMTP id x132mr19058814oix.7.1423675737183;
 Wed, 11 Feb 2015 09:28:57 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.202.229.9 with HTTP; Wed, 11 Feb 2015 09:28:17 -0800 (PST)
In-Reply-To: <54DB0575.8020506@gmail.com>
References: <CAGa2bXZsANJz_RvsBvC9yBhac+ukHYUngA=GjLOgcqTTPbpGhg@mail.gmail.com>
 <54DB0575.8020506@gmail.com>
Date: Thu, 12 Feb 2015 02:28:17 +0900
X-Google-Sender-Auth: jYZYhyUBd1vSCSWMqgxl17WBI3Y
Message-ID: <CAGa2bXY1XQa3JbQG1EK2aXtHN_7QL64WPJQhBWn5=ZCVYrX5Hw@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113c9854971e36050ed3563c
Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Script only includes
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a113c9854971e36050ed3563c
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Wed, Feb 11, 2015 at 4:32 PM, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> > Some of you are tired with this topic, but please take a look the RFC
> >
> > [RFC] Script only includes - this is 3rd version.
> > https://wiki.php.net/rfc/script_only_include
> >
> > Please let me know what you like or dislike.
>
> I think there are several issues with this RFC:
>
> 1. It does not protect against all the problems it purports to protect.
> I.e. if you want to protect against local PHP code accessing evil
> uploaded files, local PHP code can also do echo
> file_get_contents('/etc/paswd') and still have a problem (actually, very
> common LFI issue).  Even if the application only allows to require
> random file, it may be possible to inject data via other means - such as
> data stream, URL, temp files, session files, etc. Upload is not the only
> way inputs can be controlled.
>

File disclosure issue is not scope of this RFC.

2. Legitimate files can include <? as byte sequence - in fact, it is
> almost guaranteed big enough binary file would contain it. Restricting
> upload of such files would break uploading functionality on many sites.
>

Good point.
User needs compression/encryption to avoid issues.

I may make move_uploaded_file() more strict.
How about syntax check? If it detected as script and there is no syntax
errors,
then reject. This will never happens binaries.

However, this is not enough. User may upload text with PHP program sample.
So add and options that force to move embedded PHP script?

Another possibility is use of filename extension(s). It's going back to old
approach,
but register script extension and allow execution only for matched
extension.
This may be the way to go.

3. General approach of this RFC is, given site with glaring security
> hole in their code, give them a measure of protection against some of
> the consequences. This looks like safe_mode approach, and that proved
> ineffective in the past.


I'm not trying to be perfect, but I would like to make PHP as secure as
other
languages from script inclusion attacks. It's too easy currently...

I hope we have consensus for a resolution.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a113c9854971e36050ed3563c--