Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83537
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 42781 invoked from network); 23 Feb 2015 03:34:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Feb 2015 03:34:51 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.48 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.48 mail-qa0-f48.google.com  
Received: from [209.85.216.48] ([209.85.216.48:33617] helo=mail-qa0-f48.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C7/98-33016-ADF9AE45 for <internals@lists.php.net>; Sun, 22 Feb 2015 22:34:51 -0500
Received: by mail-qa0-f48.google.com with SMTP id dc16so20412655qab.7
        for <internals@lists.php.net>; Sun, 22 Feb 2015 19:34:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=2qs8H6JQyOZi/lci9lUa3fv0N1ENdDUJlP6InMprvI0=;
        b=DfkOHVRATx1u7AjQKO9p4QHjMfPP+29NpvyCoHkB/Hr+QsrUyumRh85QP3ZArxOmMp
         O1Gqb+pGVJCEAj0UzCjodIzCC1EA7vwQKtf5xyRNDKeZMhkX2It6qJa42z8g0FTKfFNj
         eeZq+iOgyYdsfPrwydrKd6Ge32G4ZcoJaPlTESlT1E1pihmadktNAh6cJHIiZaNX3ksV
         OSFqWCb/TwglGq2Zu9+sEEiw3FYW4pxIdkqah8R7X5xnKYpttI/HIM7RvCy1L3fEXTLL
         L2xDZZoV3vhj5IoNyLb3QGrKceKu/Fk1nChlQesOF/fil6yAUgYy8MV/QdWKl3esZq5m
         mzpg==
X-Received: by 10.140.38.102 with SMTP id s93mr947187qgs.106.1424662487905;
 Sun, 22 Feb 2015 19:34:47 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Sun, 22 Feb 2015 19:34:07 -0800 (PST)
In-Reply-To: <54EA5162.6060408@gmail.com>
References: <CAGa2bXZ_Q4Ytz5HgcmBoKNPzUaCh6vLETkyyd-jVsR9df60RPg@mail.gmail.com>
 <54EA5162.6060408@gmail.com>
Date: Mon, 23 Feb 2015 12:34:07 +0900
X-Google-Sender-Auth: F1hruSNUbmFexaA1qDJcnYJWDio
Message-ID: <CAGa2bXaCTxXqL9W85=eaiq=1Rb9tMJSkRqZ8fH=veReUZYHciw@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c125ec843d64050fb915be
Subject: Re: [PHP-DEV] [RFC] [FINAL DISCUSSION] Script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c125ec843d64050fb915be
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Mon, Feb 23, 2015 at 7:00 AM, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> > I think this will be the final discussion before vote.
> > This RFC is to make PHP stronger against script inclusion attacks just
> like
> > other languages.
> >
> > https://wiki.php.net/rfc/script_only_include
>
> I still think this RFC takes a wrong road for the following reasons:
>
> 1. Having any code in your app that allows to run include on
> user-controlled files (I'm not talking about filtered cases but user
> data controlling the path) is insecure and can not be made secure. It
> should just never be done. Trying to find workarounds for this is like
> safe_mode - good idea in theory, leads to worse security in practice.
>

This is mitigation proposal against script inclusions. The difference is
clear
by statistics.

Because this is mitigation, it does not aims to be a perfect solution. It
aims
to make PHP as secure as other languages.

I think system admins feel more comfortable with this change, too.
They know PHP programs are very weak against script inclusion attacks
compare to other languages.


>
> 2. Default configuration would break tons of PHP scripts with extensions
> other than .php (very frequent case). The BC break potential of this is
> very big as it modifies core functionality.
>

Compatibility can be provided by one liner.

ini_set('zend.script_extensions', '.php .phar .inc .phtml .php4 .php5');

ini_set() does not emit any errors for non existing INIs.


3. Prohibiting phar uploads would also be a bc break, but more
> importantly, there still probably are ways to work around this by using
> phar files with extension different than .phar and then asking to
> include files within that phar file. As long as the eventual path would
> end in .php, your code would allow it.
>

Security is trade off relation, so I think this change acceptable trade off
to disable "script inclusion" (executing attacker programs).

Users can move uploaded files safely without move_uploaded_file() now.
I just made use of it to provide another mitigation, since script only
include
cannot be mitigation for uploading script files under docroot.

Also, the claim that move_upload_file() is obsolete is not based on
> anything as far as I can see. Why is it "obsolete"?


move_uplaoded_file() is needed for "register_globals". Attacker could
specify source files (i.e. in $_FILES) other than uploaded files with
"register_globals".

Current move_uploaded_file() checks source filename is really a
uploaded file's filename. It prevents moving other files, so it's not
completely useless but there is not real protections now because
values in $_FILES is safe now.

I know your point of view, but I hope you like this RFC.
Thank you for your comment. Your comments are very helpful to
come up with this RFC.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c125ec843d64050fb915be--