Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83698
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57259 invoked from network); 24 Feb 2015 21:16:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Feb 2015 21:16:26 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.47 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.192.47 mail-qg0-f47.google.com  
Received: from [209.85.192.47] ([209.85.192.47:56371] helo=mail-qg0-f47.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EF/E5-24698-92AECE45 for <internals@lists.php.net>; Tue, 24 Feb 2015 16:16:26 -0500
Received: by mail-qg0-f47.google.com with SMTP id q107so32483991qgd.6
        for <internals@lists.php.net>; Tue, 24 Feb 2015 13:16:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=2D5uCEOQwPz/DrU+lCp/VO9ARwV4/LM5iqxAHDYY338=;
        b=CBpsAnwBiMO2OXDMIkaQ7wyLJfIQYLfm145q1+oIuUaFtDExtlPlK5SSOeO2wKimGM
         o5/W6XtoqVv2gw13pB+fxMb3K4C7q+epkEYSVVkqP4/+M5tEpgWCNl5RSg7po/T+lv+I
         2jhSFzUBzCI2bOWrrUclrLb1onNpPJ+d04JprYWdJ1u15XKmhFWqjivrYY7bxwnGnq4E
         SS3O72wt0IllFUTuDmh1l1K9vIdYI5U9tYkcpbLnG6zbuUW29MrdGgj6OkyssvamSxaJ
         ncFXEzmTv2qCn7L+cCNu4xu22dzfcxLbIY/7Hs5XDKYCLhan++S78rTQqVuPuv3v1Y8E
         fuqQ==
X-Received: by 10.229.201.1 with SMTP id ey1mr41299848qcb.10.1424812583318;
 Tue, 24 Feb 2015 13:16:23 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Tue, 24 Feb 2015 13:15:42 -0800 (PST)
In-Reply-To: <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com>
 <CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com>
 <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
 <CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com>
 <54ECD4E3.9040705@gmail.com> <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com>
Date: Wed, 25 Feb 2015 06:15:42 +0900
X-Google-Sender-Auth: Dlk_zerAXrJE5RkblaSVhFY5w4w
Message-ID: <CAGa2bXZV1FOaW5mJqx2yw7WQz0prp1zfEgdEw99StbWPgDFUwg@mail.gmail.com>
To: =?UTF-8?Q?P=C3=A1draic_Brady?= <padraic.brady@gmail.com>
Cc: Stanislav Malyshev <smalyshev@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c2e84ae67bf5050fdc07ab
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c2e84ae67bf5050fdc07ab
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Stas,

On Wed, Feb 25, 2015 at 5:33 AM, P=C3=A1draic Brady <padraic.brady@gmail.co=
m>
wrote:

> On Tuesday, February 24, 2015, Stanislav Malyshev <smalyshev@gmail.com>
> wrote:
>
>> Hi!
>>
>> > Will it add a significant level of protection? No.
>> >
>> > Does it add protection? Yes.
>> >
>> > Each time we add some incremental security hardening, we make it a bit
>> > harder to create vulnerabilities. In this case, if there were code
>>
>> In this case, it seems not to be much harder than changing an URL a bit
>> or uploading a file under different extension. OTOH, it creates a false
>> sense of security - oh, I'm using the secure settings, now I can forget
>> about caring for LFI! - and also has huge BC break potential. For me, it
>> looks like magic quotes comeback.
>
>
> They'd need to upload with a matching file type. Instead of any file
> types. Fewer possible types is by definition less than all types.
>
> This is not even remotely magic quotes. No input is altered.
>

I would like to add a note for this.
Anti Virus products are detecting this type of files as "PHP malware".
No other languages have such malware.

According to recent F-Secure blog post, this type of "PHP malware" files
are not decreasing but increasing.  Other than this type of "PHP malware",
"PHP WebShell" is detected as PHP malware by anti virus products.

The reason why these has to detected as "PHP malware" is that there are
PHP programs vulnerable to script inclusion attacks.

Leaving this as it is now would make people think "PHP is insecure than
other languages", "Wow, we have many PHP malware. We may be better
not to use PHP anymore".

If "PHP malware" is found in a server, developers are force to check
their code. Or they have to ask costly code check to people like me,
even when PHP programs is safe. If this RFC is accepted, developers
can prove their PHP programs are safe without code check.

This RFC benefits may not be obvious for people on this list, but this
RFC eliminates certain type of "PHP malware". PHP's script inclusion
is a toy for security researcher and attackers for a long time.
Let's take away the toy from them.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c2e84ae67bf5050fdc07ab--