Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83704
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68099 invoked from network); 24 Feb 2015 22:07:07 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Feb 2015 22:07:07 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.42 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.220.42 mail-pa0-f42.google.com  
Received: from [209.85.220.42] ([209.85.220.42:36737] helo=mail-pa0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 07/08-24698-A06FCE45 for <internals@lists.php.net>; Tue, 24 Feb 2015 17:07:06 -0500
Received: by pabkq14 with SMTP id kq14so39309018pab.3
        for <internals@lists.php.net>; Tue, 24 Feb 2015 14:07:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=13+YDNL8tWw6TRNrY7jA2jB4iuGwYi0PoMQCShTrIHo=;
        b=VxqAVX4xbc6oiB0dPFL20LNI+cdBBm6PpoPghLQUFhsgwqr2jATk6yx8Hk+9zwM6+W
         wZam0WieL1ySzxrARpsavmGyinGIWytrUsAXhDcFEVzBCwP0lsubVGK0K1ymBdeSwMdY
         t9oVQkv3DptFWkRB1e2BZFU+wKqvA00ClMGF0m5Tw5IwjYNYq+VYDXQehzQAZJdylm/E
         g+1v7hF9bfMKCuMM6PMPQOTiDz9pMvtvcAC15Ow12IGJs+OqKuV0JIGJavNoKNbCnfSf
         +q0Guc0hHhC9mi8GYlfCs5kiLmZy+7eL8ysdhc9q81oGI1V3K0qetYOxAdWqrZBor7Ca
         1v3g==
X-Received: by 10.66.255.98 with SMTP id ap2mr23153pad.134.1424815622877;
        Tue, 24 Feb 2015 14:07:02 -0800 (PST)
Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48])
        by mx.google.com with ESMTPSA id je2sm39123771pbd.44.2015.02.24.14.07.01
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 24 Feb 2015 14:07:02 -0800 (PST)
Message-ID: <54ECF605.7030506@gmail.com>
Date: Tue, 24 Feb 2015 14:07:01 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: =?UTF-8?B?UMOhZHJhaWMgQnJhZHk=?= <padraic.brady@gmail.com>
CC: Dmitry Stogov <dmitry@zend.com>, Yasuo Ohgaki <yohgaki@ohgaki.net>, 
 "internals@lists.php.net" <internals@lists.php.net>,
 Nikita Popov <nikitappv@gmail.com>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com>	<CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com>	<CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>	<CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com>	<54ECD4E3.9040705@gmail.com> <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com>
In-Reply-To: <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> They'd need to upload with a matching file type. Instead of any file

Not sure what you mean by that. phar can read tars, etc. AFAIK, can't
it? Also, phar archive has no requirement of being named something.phar,
afaik can be also named cuteponies.gif. E.g., I just did this:

1. Created file chump.php:

<?php

include $argv[1];

This is an idealized vulnerable script.

2. Created file pwnd.php
<?php

echo "pwnd!";

This is an idealized exploit.

3. Put it into an archive:
tar cvzf cuteponies.gif pwnd.php

4. Run this:

php -dallow_url_include=0 chump.php phar://cuteponies.gif/pwnd.php

The output is:

pwnd!

I'm not sure how this measure would protect from such scenario. Am I
missing something here?

> This is not even remotely magic quotes. No input is altered.

Don't be so literal. It's not about altering input, it's about the fact
that it breaks stuff and not adds much to security.

> None of this detracts from limiting file includes. Other potential

Not sure what you mean. If you can pull off file include - which is a
precondition of this feature being useful - then you can pull off phar
include.

> weaknesses could be addressed separately if you agree there's more than
> one addressed not addressed here. One might say...incrementally.

The problem is there's no increment there. It's like having a password
hardcoded to "password". You can say "oh, it's incremental security, at
least we have a password!" but it is not incrementing the actual security.

> You keep mentioning magic quotes. That was never an improvement. It was
> removed from PHP. Please stop trying to associate two unrelated things

Yes, it was removed from PHP - exactly because it did not produce the
attempted improvement in security. This feature is of the same kind - it
tries to produce increase in security but fails. Thinking of it as a
security feature would produce nothing but an endless stream of CVEs
with PHP name attached to it. Not a good idea.
-- 
Stas Malyshev
smalyshev@gmail.com