Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83719 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95844 invoked from network); 25 Feb 2015 00:09:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Feb 2015 00:09:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.182 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.217.182 mail-lb0-f182.google.com Received: from [209.85.217.182] ([209.85.217.182:39670] helo=mail-lb0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A4/6D-24698-7C21DE45 for ; Tue, 24 Feb 2015 19:09:43 -0500 Received: by lbvn10 with SMTP id n10so420008lbv.6 for ; Tue, 24 Feb 2015 16:09:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=XPCsP3DoZB1JZxntAq4d4RabAoPuxnyJ0bN3T5SvbEw=; b=okU2KNeY8eu/j1xtNNwObcFSL9gciHoY2I0c77O3eF2Z9kNXUaHQcry4KYRzUtE9SN V7y0lMuxKsv41pNce9ERxQ0Z7NzLgeTreM6ECOcubgAh2H5zoY8wEaMPEcQlM+95B53o SwlumHGTOk8VTen0d84Kf71zDdpwXUn5PR+dtGzpy106vUbrD5QMhqX9+KFWDa42kJin c7wcQimKlrz4iJMNqoXT2FvpKi2hLg3mNpPIw0srUfhYldKWWm1EL2tFWHMyn5wCLqSM 00/Kep8f/NwQCRbP/jbGpHxgMczQ/jh0MLnSMaYJXJu9g8LAdz9mkws4Kik7oF994AEA Au0w== MIME-Version: 1.0 X-Received: by 10.152.1.1 with SMTP id 1mr324503lai.63.1424822979852; Tue, 24 Feb 2015 16:09:39 -0800 (PST) Received: by 10.112.154.229 with HTTP; Tue, 24 Feb 2015 16:09:39 -0800 (PST) In-Reply-To: <54ECF605.7030506@gmail.com> References: <54ECD4E3.9040705@gmail.com> <54ECF605.7030506@gmail.com> Date: Wed, 25 Feb 2015 00:09:39 +0000 Message-ID: To: Stanislav Malyshev Cc: Dmitry Stogov , Yasuo Ohgaki , "internals@lists.php.net" , Nikita Popov Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC] Script only include/require From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) Hi, On 24 February 2015 at 22:07, Stanislav Malyshev wrot= e: > Hi! > >> They'd need to upload with a matching file type. Instead of any file > > Not sure what you mean by that. phar can read tars, etc. AFAIK, can't > it? Also, phar archive has no requirement of being named something.phar, > afaik can be also named cuteponies.gif. E.g., I just did this: Your example omitted the image validation step which would have noticed your attempt to upload a phar immediately. Add that and try again. It's not very fair to create a scenario with a total lack of any security, and then ignore that your code's problem is that gaping hole and NOT the minor extension filter on the far end. The control under debate was already provided with a preventable example by Yasuo pointing out how certain crafted images for file inclusion, which would bypass certain image validation checks, would indeed be preventable by his RFC. Please stick to what the RFC actually claims to do. Paddy -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com