Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83715
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 88525 invoked from network); 24 Feb 2015 23:25:22 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Feb 2015 23:25:22 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.47 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.220.47 mail-pa0-f47.google.com  
Received: from [209.85.220.47] ([209.85.220.47:40205] helo=mail-pa0-f47.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 93/0C-24698-1680DE45 for <internals@lists.php.net>; Tue, 24 Feb 2015 18:25:22 -0500
Received: by paceu11 with SMTP id eu11so320855pac.7
        for <internals@lists.php.net>; Tue, 24 Feb 2015 15:25:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=gUK2DZMbVAPTYCvopPHJFhHB6vE3TE/xP1J+VUjopgc=;
        b=0pDY31kqvgYn5MhIct/CDzUO5lbd89sZ6XT/LbT5nubL7IDAfzE7y8UH+1Y1ACqtqe
         TMZJzoSkgTpE9MjrBNY56F7cB5VuMJRouPjJ8jJv80VJIMB4+1JTJXOXeitA/nDssnNJ
         Xu5QQaDuuEP9JJdS4Gc+H75sJtVLwsu6JAXybjUMyYTgUhprRHIQ+wI4N3ZlY41tnKmo
         aAWb/wJMpsEyCTcV6PqD6LuAvxEhRn0fR9CcElzrQb3zvIKXLvdqvjTQxQ6cND4/GRTJ
         Le18By1Hwz1JbJ0TGOmCfgg5DAhwrY/SZjhGnMUomOyQgGFW3h7YW9wI6fA0nMoqF7Gd
         EYQA==
X-Received: by 10.67.10.47 with SMTP id dx15mr219042pad.139.1424820318859;
        Tue, 24 Feb 2015 15:25:18 -0800 (PST)
Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48])
        by mx.google.com with ESMTPSA id um16sm4992134pab.7.2015.02.24.15.25.16
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 24 Feb 2015 15:25:18 -0800 (PST)
Message-ID: <54ED085C.8010901@gmail.com>
Date: Tue, 24 Feb 2015 15:25:16 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
CC: =?UTF-8?B?UMOhZHJhaWMgQnJhZHk=?= <padraic.brady@gmail.com>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com> <CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com> <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com> <CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com> <54ECD4E3.9040705@gmail.com> <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com> <CAGa2bXZV1FOaW5mJqx2yw7WQz0prp1zfEgdEw99StbWPgDFUwg@mail.gmail.com> <54ECFAA8.4020305@gmail.com> <CAGa2bXZ373PGrJtpmgLje3obzGcXQs5sND=8TzyuKac+hZ--Fg@mail.gmail.com>
In-Reply-To: <CAGa2bXZ373PGrJtpmgLje3obzGcXQs5sND=8TzyuKac+hZ--Fg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> As far as I know, PHP is the only language that has this type of malware.
> (Script embedded images) PHP is the only one malware vendors claims 
> it as "PHP malware". This is the fact.

Which type is that? Of course only malware in PHP can be presented as
"PHP malware", but I don't understand why it is of any significance.

> The reason is other languages are almost safe by default against script
> inclusion attacks.

Many languages just don't use patterns like PHP code does - I don't
think I ever seen Python code doing imports based on variables - I'm not
even sure it's possible in Python. PHP has more capabilities, but of
course you need to use them in the right way.

> This RFC makes PHP safe by default just like other languages +
> move_uploaded_file()
> protection.

No, it does not - I've shown the example why. I'm sure there are more.

> People do not have to be exparts of developing softwares. Managers will
> choose illogical choice.

We should not base our decision on the opinions of people we all
understand are ignorant.

> 1. Anti-virus detects "PHP malware"
> 2. Managers surprises possible attack (Server takeover)
> 3. Developers are forced to check their code, since current PHP has no
> effective script inclusion attack prevention
> 
> With this RFC, developers can explain this type of attacks cannot be done
> by PHP's feature. i.e. Exploit servers via script embedded images, etc
> cannot
> be done.

I don't think we need to introduce BC-breaking feature in PHP just
because somebody has a manager that can't understand the basics of security.

> Embedded PHP script uploads are prohibited by this RFC by default.

Only certain very narrow cases of it.

> 
> PHP became as secure as other languages with respect to script inclusions.

You keep repeating that, but it's not the case, and PHP already is as
secure as other languages - provided you do not use clearly broken code.
Security of the language is a misnomer anyway - language can not be
secure (unless it's a language that does nothing useful), only specific
code can be. Code that allows user-controlled includes without adequate
filtering is insecure, and pretending that we make it secure does not
improve security, quite the contrary.

> Users may shoot their own foot, this is not our issue.

But that's exactly what is required for your change to be useful at all!

-- 
Stas Malyshev
smalyshev@gmail.com