Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83656
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66991 invoked from network); 24 Feb 2015 11:56:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Feb 2015 11:56:42 -0000
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.213.42 mail-yh0-f42.google.com  
Received: from [209.85.213.42] ([209.85.213.42:40801] helo=mail-yh0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 46/15-37184-9F66CE45 for <internals@lists.php.net>; Tue, 24 Feb 2015 06:56:42 -0500
Received: by yhot59 with SMTP id t59so13864541yho.7
        for <internals@lists.php.net>; Tue, 24 Feb 2015 03:56:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=Lzut+vikFNhHhpxFq8Fy+sF1YdcX+ToAknkVdb7OU+A=;
        b=MOTifYayKnZUTxVE5hSD22afoqNr+ec8o0ZXWnooc7c74s+VOHS3HMnH1K26O1wN5/
         QDC5hVnno5R/jpwsS/AszVSEGEtIVpVYGHR+e3v+ab+Sp7sQzwzaoLlBmV84oMy3vsiC
         TsdYZPiXX3BRzYogd6gq1vHa0//uq6Qz2idZ2BTBJU0051/FtqwtZPAmlDo2tEeQrqY9
         /Ekg80tKvbyExBoSzMxKyJrWDIbtRouczDp9qINgHJ2iFqaW+QNNPzLXvMUMryG+DrI7
         KIMaE0GPHoi/zi/iFuiD1j+HUh8gHYkU9G4d7V3CJKPtwt4fywo/Y8aFuG5lRWaaz2kb
         iziA==
MIME-Version: 1.0
X-Received: by 10.236.105.226 with SMTP id k62mr13780453yhg.175.1424778999065;
 Tue, 24 Feb 2015 03:56:39 -0800 (PST)
Received: by 10.170.222.86 with HTTP; Tue, 24 Feb 2015 03:56:38 -0800 (PST)
In-Reply-To: <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com>
	<CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com>
	<CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
Date: Tue, 24 Feb 2015 11:56:38 +0000
Message-ID: <CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com>
To: Dmitry Stogov <dmitry@zend.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, "internals@lists.php.net" <internals@lists.php.net>, 
	Nikita Popov <nikitappv@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: [RFC] Script only include/require
From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=)

Hi Dmitry,

On 24 February 2015 at 07:00, Dmitry Stogov <dmitry@zend.com> wrote:
> I'm not a security expert, but I think that adding check for script
> extension won't add significant level of protection.

Will it add a significant level of protection? No.

Does it add protection? Yes.

Each time we add some incremental security hardening, we make it a bit
harder to create vulnerabilities. In this case, if there were code
injection issue, the attacker must a) include a local file (not always
useful) or b) upload some other apparently innocent file capable of
being included (extremely useful). As such, this patch would lock out
an obvious path by restricting the files that can be included to a
more limited subset.

Enough incremental improvements add up to a significant improvement.

Paddy

--
P=C3=A1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com