Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83615
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 56923 invoked from network); 23 Feb 2015 22:19:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Feb 2015 22:19:42 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.43 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.192.43 mail-qg0-f43.google.com  
Received: from [209.85.192.43] ([209.85.192.43:42758] helo=mail-qg0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 69/12-01128-D77ABE45 for <internals@lists.php.net>; Mon, 23 Feb 2015 17:19:41 -0500
Received: by mail-qg0-f43.google.com with SMTP id i50so27062398qgf.2
        for <internals@lists.php.net>; Mon, 23 Feb 2015 14:19:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=I9kKOA+2H4fyPXnAdCqVpb1XrIWaYVUf/6w/EkC5kHU=;
        b=Zp0189cQncDh/4Av9ikM0DKDq2YWFoQoYOL1GlY+s/4cW/sYkBmVSymmTzo7YjfVEH
         igPSfOQzPrHIzAETwU0flg70VKrVPfitbm3Nim1SGouvPFFbJ7tl7jlT33Tt0TX0r3+O
         Wz/pZANfvGonCj3Kn03TN9tW9Kqsga5es7zIvBQZhR6YHwGrNxlrRFQNHy/AFVKsmtJI
         hjGkTmZtPXi5PXvkBdkHc4nzJhXCD+IyDwBTdCuK9deSomdzV8LipWziTiAHA6Qt5Arz
         CWIh840WgbIfC5iceBa4cbmNFZUxxUlg/jWey+Mu3qHp3pkdt2xUOY/Ow9O8s4cvZlcB
         cLQQ==
X-Received: by 10.140.38.102 with SMTP id s93mr9625086qgs.106.1424729979177;
 Mon, 23 Feb 2015 14:19:39 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Mon, 23 Feb 2015 14:18:59 -0800 (PST)
In-Reply-To: <llimeapbjmmr5smk43hl2562spkcn5lake@4ax.com>
References: <CAGa2bXZ_Q4Ytz5HgcmBoKNPzUaCh6vLETkyyd-jVsR9df60RPg@mail.gmail.com>
 <54EA5162.6060408@gmail.com> <35slealm28b62b8ebhqeto40pj4jv6ib0c@4ax.com>
 <CAGa2bXY+K7xcSg1uf1GS9MMGqXqhyM_ESh-OR0Ld0dd30oCwtw@mail.gmail.com>
 <CAGa2bXaq1FoxjG44GStg_4W+v8_A3DFC7VS9M5RM9NxVHEV70A@mail.gmail.com> <llimeapbjmmr5smk43hl2562spkcn5lake@4ax.com>
Date: Tue, 24 Feb 2015 07:18:59 +0900
X-Google-Sender-Auth: cjmt0a1uxjhFb0H0fX2TR5qjW1Y
Message-ID: <CAGa2bXZ+izzSfb7=jZvOdwRWMQwbrBbxWFXxwJaCG936CP2xAA@mail.gmail.com>
To: Jan Ehrhardt <phpdev@ehrhardt.nl>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c125ec4f5016050fc8cc72
Subject: Re: [PHP-DEV] [RFC] [FINAL DISCUSSION] Script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c125ec4f5016050fc8cc72
Content-Type: text/plain; charset=UTF-8

Hi Jan,

On Tue, Feb 24, 2015 at 12:51 AM, Jan Ehrhardt <phpdev@ehrhardt.nl> wrote:

> Yasuo Ohgaki in php.internals (Mon, 23 Feb 2015 18:53:10 +0900):
> >On Mon, Feb 23, 2015 at 6:52 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> >
> >> ini_set('.php .phar .module .etc');
> >
> >ini_set('zend.script_extensions', '.php .phar .module .etc');
> >
> >to be correct.
>
> Quote from a Drupal 7 .htaccess:
>
> # Protect files and directories from prying eyes.
> <FilesMatch
>
> "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$">
>   Order allow,deny
> </FilesMatch>
>
> A lot of these, even .test, are used as include scripts. How would the
> corresponding .htaccess entry for zend.script_extensions be formulated?
>

My patch allows up to 32 extensions or disable the protection, so all of
these
can be used as PHP scripts by

ini_set('zend.script_extensions', ''); // The same as now. No mitigations.

I don't recommend disabling the protection nor adding too many extensions,
but it's up to developers.

By the way, the configuration is not for PHP script, but file access
control from
external clients. I suppose Drupal uses much less filename extensions for
PHP
scripts. Otherwise, it will be too weak against script inclusion (or direct
PHP
script access via uploaded files).

I checked Drupal8 files briefly. I see a few .module/.inc (there may be
others)
They may either rename to .module.php/.inc.php or

ini_set('zend.script_extensions', '.php .module .inc .phar');

I suggest developers to use standard extension for PHP scripts, use only a
few
extensions as PHP scripts if it's ever needed. Leaving
zend.script_extensions by
default and using '.php' as PHP script would be the best practice. I think
most
apps/scripts follow this already.

Regards,

P.S. My patch does not protect "direct access". i.e. It allows to execute
PHP
scripts specified by web server configurations when PHP is a module of web
server. e.g.

<FilesMatch \.png$>
SetHandler application/x-http-php
</FilesMatch>

allows ".png" files to be executed as PHP script regardless of
"zend.script_extensions".
PHP script files is opened by Web server and PHP will not check file
extension for
this case. The patch checks only when script file is loaded by PHP/Zend.

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c125ec4f5016050fc8cc72--