Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83696
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 52305 invoked from network); 24 Feb 2015 20:33:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Feb 2015 20:33:21 -0000
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.52 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.215.52 mail-la0-f52.google.com  
Received: from [209.85.215.52] ([209.85.215.52:45687] helo=mail-la0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 09/35-24698-F00ECE45 for <internals@lists.php.net>; Tue, 24 Feb 2015 15:33:20 -0500
Received: by labge10 with SMTP id ge10so28334719lab.12
        for <internals@lists.php.net>; Tue, 24 Feb 2015 12:33:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=ws+fYyp9q2tLan9pgnIgeUuT1GoyCC5d6KS4Jq/wgpM=;
        b=knXLhU/ElxL4SwVDf6he4SMpDsFzfJZkmRTftTjFUEN37bw8kLUP1KbxeESk8g5Wqd
         apZTBCoWcOO/EJLsjMmYiTKIvox+ZYUS76fTlmFwWXqMRk/5i8lZhhzchmmkD9fVq8B/
         l+1s47Z+jbBMuxTTK2H6NytTlKdgFIVm+vVQIP7crWF523MFj+FTSH3gPZ0kpP3u2/AI
         8wlqJvzW+SfI6L7zQvzmjl44Dg36YMUk26dsYAcZrFPtEsBvQiRHVEwZ7Ekd2tOr7zpG
         OQnqaBILrbRZBcMuLnCKw7WmK0qjjlMwmv5aBlQcm/1hpmRvoM9Lfj2BBh3J7hSc5b7/
         bn5Q==
MIME-Version: 1.0
X-Received: by 10.112.162.42 with SMTP id xx10mr15850829lbb.6.1424809997211;
 Tue, 24 Feb 2015 12:33:17 -0800 (PST)
Received: by 10.112.154.229 with HTTP; Tue, 24 Feb 2015 12:33:17 -0800 (PST)
In-Reply-To: <54ECD4E3.9040705@gmail.com>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com>
	<CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com>
	<CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
	<CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com>
	<54ECD4E3.9040705@gmail.com>
Date: Tue, 24 Feb 2015 20:33:17 +0000
Message-ID: <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: Dmitry Stogov <dmitry@zend.com>, Yasuo Ohgaki <yohgaki@ohgaki.net>, 
	"internals@lists.php.net" <internals@lists.php.net>, Nikita Popov <nikitappv@gmail.com>
Content-Type: multipart/alternative; boundary=089e0112d166c19ed9050fdb6dd2
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=)

--089e0112d166c19ed9050fdb6dd2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi

On Tuesday, February 24, 2015, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
> > Will it add a significant level of protection? No.
> >
> > Does it add protection? Yes.
> >
> > Each time we add some incremental security hardening, we make it a bit
> > harder to create vulnerabilities. In this case, if there were code
>
> In this case, it seems not to be much harder than changing an URL a bit
> or uploading a file under different extension. OTOH, it creates a false
> sense of security - oh, I'm using the secure settings, now I can forget
> about caring for LFI! - and also has huge BC break potential. For me, it
> looks like magic quotes comeback.


They'd need to upload with a matching file type. Instead of any file types.
Fewer possible types is by definition less than all types.

This is not even remotely magic quotes. No input is altered.


>
> > injection issue, the attacker must a) include a local file (not always
> > useful) or b) upload some other apparently innocent file capable of
> > being included (extremely useful). As such, this patch would lock out
> > an obvious path by restricting the files that can be included to a
> > more limited subset.
>
> Unless you disable phar, you can still include pretty much anything by
> just using phar includes, as far as I can see. I'm pretty sure there are
> also other stream tricks possible (data://? zip://?)


None of this detracts from limiting file includes. Other potential
weaknesses could be addressed separately if you agree there's more than one
addressed not addressed here. One might say...incrementally.

Also, we are obviously talking about PHP includes with this RFC...


> > Enough incremental improvements add up to a significant improvement.
>
> If that were always true, safe mode and magic quotes would still be here
> with us.
>

You keep mentioning magic quotes. That was never an improvement. It was
removed from PHP. Please stop trying to associate two unrelated things to
establish bad practice by word proximity. The sentence is obviously true.

Paddy




--=20

--
P=C3=A1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative

--089e0112d166c19ed9050fdb6dd2--