Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83720 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97717 invoked from network); 25 Feb 2015 00:20:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Feb 2015 00:20:22 -0000 Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.43 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.215.43 mail-la0-f43.google.com Received: from [209.85.215.43] ([209.85.215.43:33640] helo=mail-la0-f43.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 91/CD-24698-4451DE45 for ; Tue, 24 Feb 2015 19:20:21 -0500 Received: by labgf13 with SMTP id gf13so517329lab.0 for ; Tue, 24 Feb 2015 16:20:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Cnyb/JAkaiyxnRyMBI43f0w4vd1KOUprD3jaiB+H5+8=; b=sW3LRMjiYGYROFYidC/+agrB/nosgHnbu6bt6zRkdmzNLTnecI29fx4vJ1+hX0BjPS 9RWFaffqONb/Zy13o/LEgzy5n4Udr2mnSaaUtzy9neQqNcCO25ShTh3dl9+5fZ/dNTxO LGrQlP6OzWxnAFDeMIPsBHwb+hOP3TqkFs+y0IoFrAfVB2ziThkGT7IvhVl9Ne015j6d sX6FUUaACwE+xt83W4cO/mBcVfjXYwNDmn1844AoFwDsWnsovNqQ0Hg43Im7/texcCY4 n0/2chNNjmJvkgAaCEzy4Q2bzlk8K/P+AHbXuVObfiaUDkkcH9PSJikWC0ZRD3MDY8GQ 3b6Q== MIME-Version: 1.0 X-Received: by 10.153.8.135 with SMTP id dk7mr331506lad.93.1424823617186; Tue, 24 Feb 2015 16:20:17 -0800 (PST) Received: by 10.112.154.229 with HTTP; Tue, 24 Feb 2015 16:20:17 -0800 (PST) In-Reply-To: <54ECFAA8.4020305@gmail.com> References: <54ECD4E3.9040705@gmail.com> <54ECFAA8.4020305@gmail.com> Date: Wed, 25 Feb 2015 00:20:17 +0000 Message-ID: To: Stanislav Malyshev Cc: Yasuo Ohgaki , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC] Script only include/require From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) Hi, >> This RFC benefits may not be obvious for people on this list, but this >> RFC eliminates certain type of "PHP malware". PHP's script inclusion > > I can't think of any type of PHP malware that would be eliminated. At > most, the malware injection protocols have to be slightly modified to > work around initial hurdle of not being able to pass files with > extension .php through move_upload_file(). With RCE vulnerability its > trivial, with RFI one based on uploads it is a little harder, but only > insignificantly - if I am not mistaken, in the last email I provided a > workaround and it took me less than 5 minutes to come up with it, > without being professional exploit writer. You might want to carefully read Yasuo's sentence about "certain" types which is not the same as "all" types. You seem to be exaggerating the claimed benefit of the RFC and using those exaggerated claims (and their debunking) as evidence against the RFC. In this, you are seriously off topic. The RFC makes a very simple claim about limiting includes to specific file extensions. It does not validate the files - the implicit assumption is the files are pre-validated so it exists to mop up certain edge cases that may bypass validation. This is just basic defense in depth. Paddy -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com