Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83723
Return-Path: <danack@basereality.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 2784 invoked from network); 25 Feb 2015 00:39:00 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Feb 2015 00:39:00 -0000
Authentication-Results: pb1.pair.com smtp.mail=danack@basereality.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=danack@basereality.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain basereality.com from 74.125.82.169 cause and error)
X-PHP-List-Original-Sender: danack@basereality.com
X-Host-Fingerprint: 74.125.82.169 mail-we0-f169.google.com  
Received: from [74.125.82.169] ([74.125.82.169:33124] helo=mail-we0-f169.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D4/CE-24698-1A91DE45 for <internals@lists.php.net>; Tue, 24 Feb 2015 19:38:59 -0500
Received: by wevk48 with SMTP id k48so510756wev.0
        for <internals@lists.php.net>; Tue, 24 Feb 2015 16:38:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type
         :content-transfer-encoding;
        bh=zp9HJmJx9ZoYc2nO2/rT03NLiziDxqSWDAoYmSD+QEg=;
        b=i+G/hwet4rmEESlIJZjRcrjAeme8LQsZUPtt2p/BzBCe9VY9HGQ9tlEMl9grWYrxpF
         weXHonUcnzKJEVP2jB+TJIe7co6IpMymw/2lDR5jqwiwS67IW1mrDLJ9HYuLgr6sE9zn
         A8MK2lHM67kW1WoThxFxFMjf19BDBP/nrtKdCtR4Y9MXX8CVefz20ff5sylQnJI6cyvY
         UCZnX4khV7PogfECcnoMU6BB8rQQWLNtBi/WLLesaUhIxz5aSzYT8iwfIQ4cWgoYnawZ
         Z4pLy0T0iG9NyXHaH98n5vSjgrLNGfkR4AJHg+zrjrDfMUqPbE/lBhjcHzfOqDyrsJQ2
         kEcQ==
X-Gm-Message-State: ALoCoQmtSfs/sbxxpfqJUd0i0LUbMKvZb/WpeGW9C8oKV/XUzoNjvb+kreK6NbDhDha/0iL0Xx3I
MIME-Version: 1.0
X-Received: by 10.194.235.71 with SMTP id uk7mr975615wjc.13.1424824734270;
 Tue, 24 Feb 2015 16:38:54 -0800 (PST)
Received: by 10.180.10.234 with HTTP; Tue, 24 Feb 2015 16:38:54 -0800 (PST)
X-Originating-IP: [78.147.13.43]
In-Reply-To: <CALwr1GkU_mumpp-34Pp=gKwZzL3KVEW7JpEnqC5MMtcgM_qEbA@mail.gmail.com>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com>
	<CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com>
	<CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
	<CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com>
	<54ECD4E3.9040705@gmail.com>
	<CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com>
	<54ECF605.7030506@gmail.com>
	<CALwr1GkU_mumpp-34Pp=gKwZzL3KVEW7JpEnqC5MMtcgM_qEbA@mail.gmail.com>
Date: Wed, 25 Feb 2015 00:38:54 +0000
Message-ID: <CA+kxMuT-jQaT9xyk9dmONdpTz-h0LfWcvu_-caibjvu3XmQuTw@mail.gmail.com>
To: =?UTF-8?Q?P=C3=A1draic_Brady?= <padraic.brady@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: danack@basereality.com (Dan Ackroyd)

On 25 February 2015 at 00:09, P=C3=A1draic Brady <padraic.brady@gmail.com> =
wrote:
>
> Your example omitted the image validation step which would have
> noticed your attempt to upload a phar immediately. Add that and try
> again.

Image validation is no defense against this type of attack:

http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-writ=
ten-in-php-and-carried-in-a-jpeg-image/

As soon as you have any possibility of including a file uploaded by an
attacker, you are probably going to lose.

cheers
Dan