Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83490 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 59624 invoked from network); 22 Feb 2015 22:00:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Feb 2015 22:00:08 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.44 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.44 mail-pa0-f44.google.com Received: from [209.85.220.44] ([209.85.220.44:40725] helo=mail-pa0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 93/07-18531-7615AE45 for ; Sun, 22 Feb 2015 17:00:08 -0500 Received: by paceu11 with SMTP id eu11so22535730pac.7 for ; Sun, 22 Feb 2015 14:00:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=hveLCRbeA4z/LuErXPll0YfPwxfOmoGK9pLTyZgEhd8=; b=KknT6pjk7rauvdpBv53ZSHQE5qLrqwVP6fdp8kQVd/gXkWmPijHhk4PfAhRrnspf1g EllULOQz1W9PFDWJEl2hkww6msa0zjZ36isYQQ9+B6vydKkqj13ZFA/UchN+JoPuZPih frziSpEG5o2jbxwpl2NnarcqXqWht7HyVYZCYbtZeI3VgklnFIl3T1K6mST+RCsRZyMQ l6z8GLWqkHyg4YcNnV/APEyxfm8Q4BCLDotcpg5Kz4ZtFVmsdVQcR65MV4SVsP0HPvoA bCaLM68YluHhxwBzmxJvQhYfkWE4kObw5fXNd/nYZDrs8L4C01I2WureFm9+0zWsylHN eArA== X-Received: by 10.68.133.198 with SMTP id pe6mr13743374pbb.119.1424642404702; Sun, 22 Feb 2015 14:00:04 -0800 (PST) Received: from [192.168.2.145] (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by mx.google.com with ESMTPSA id f10sm24228450pds.37.2015.02.22.14.00.03 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Feb 2015 14:00:03 -0800 (PST) Message-ID: <54EA5162.6060408@gmail.com> Date: Sun, 22 Feb 2015 14:00:02 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Yasuo Ohgaki , "internals@lists.php.net" References: In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] [FINAL DISCUSSION] Script only include/require From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > I think this will be the final discussion before vote. > This RFC is to make PHP stronger against script inclusion attacks just like > other languages. > > https://wiki.php.net/rfc/script_only_include I still think this RFC takes a wrong road for the following reasons: 1. Having any code in your app that allows to run include on user-controlled files (I'm not talking about filtered cases but user data controlling the path) is insecure and can not be made secure. It should just never be done. Trying to find workarounds for this is like safe_mode - good idea in theory, leads to worse security in practice. 2. Default configuration would break tons of PHP scripts with extensions other than .php (very frequent case). The BC break potential of this is very big as it modifies core functionality. 3. Prohibiting phar uploads would also be a bc break, but more importantly, there still probably are ways to work around this by using phar files with extension different than .phar and then asking to include files within that phar file. As long as the eventual path would end in .php, your code would allow it. Also, the claim that move_upload_file() is obsolete is not based on anything as far as I can see. Why is it "obsolete"? -- Stas Malyshev smalyshev@gmail.com