Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83692 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 43965 invoked from network); 24 Feb 2015 19:45:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Feb 2015 19:45:45 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.51 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.51 mail-pa0-f51.google.com Received: from [209.85.220.51] ([209.85.220.51:36726] helo=mail-pa0-f51.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A9/C3-24698-8E4DCE45 for ; Tue, 24 Feb 2015 14:45:45 -0500 Received: by pabkq14 with SMTP id kq14so38455303pab.3 for ; Tue, 24 Feb 2015 11:45:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=hn5yRN8PfAh5tTJg4UZOxizcj5OjtwewpI0H7OTkQ4o=; b=OLm52iQypN7lByzbrseDBCnMnxnsHpMvCdyI42CR1FYlHdT7WSVPI7RE5eTQLLo+jS t0noRq2aCA4HtcODqBa6sL2YucwcK9Y0tg6m/AlV5xUh7c0D0pLn4oU9NG9/3D0nChuT KcuLQIoot1Q2t8GWHVm5T4eafaLoY3X2jvFWVushGoHt2aXiO+d3kOq6pT3jvnSrFk9Y Z+3DyCTTsileffTby3vmHX6ifPH0to5V4W/Ayrak440+Th2kAgFgP2/H16KYuT1wYbVL gAYR0ggCeVhsQh9nCMtJWyJpirB2QevtFDs1Wp45CuE7i1S244XjsJ/ItKOISdi47UmP Lqgw== X-Received: by 10.68.98.98 with SMTP id eh2mr6304054pbb.112.1424807141401; Tue, 24 Feb 2015 11:45:41 -0800 (PST) Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by mx.google.com with ESMTPSA id hr3sm38990628pbb.13.2015.02.24.11.45.39 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Feb 2015 11:45:40 -0800 (PST) Message-ID: <54ECD4E3.9040705@gmail.com> Date: Tue, 24 Feb 2015 11:45:39 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: =?UTF-8?B?UMOhZHJhaWMgQnJhZHk=?= , Dmitry Stogov CC: Yasuo Ohgaki , "internals@lists.php.net" , Nikita Popov References: In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC] Script only include/require From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Will it add a significant level of protection? No. > > Does it add protection? Yes. > > Each time we add some incremental security hardening, we make it a bit > harder to create vulnerabilities. In this case, if there were code In this case, it seems not to be much harder than changing an URL a bit or uploading a file under different extension. OTOH, it creates a false sense of security - oh, I'm using the secure settings, now I can forget about caring for LFI! - and also has huge BC break potential. For me, it looks like magic quotes comeback. > injection issue, the attacker must a) include a local file (not always > useful) or b) upload some other apparently innocent file capable of > being included (extremely useful). As such, this patch would lock out > an obvious path by restricting the files that can be included to a > more limited subset. Unless you disable phar, you can still include pretty much anything by just using phar includes, as far as I can see. I'm pretty sure there are also other stream tricks possible (data://? zip://?) > Enough incremental improvements add up to a significant improvement. If that were always true, safe mode and magic quotes would still be here with us. -- Stas Malyshev smalyshev@gmail.com