Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83724 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 4414 invoked from network); 25 Feb 2015 00:43:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Feb 2015 00:43:35 -0000 Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.180 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.217.180 mail-lb0-f180.google.com Received: from [209.85.217.180] ([209.85.217.180:43499] helo=mail-lb0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4B/1F-24698-6BA1DE45 for ; Tue, 24 Feb 2015 19:43:35 -0500 Received: by lbiw7 with SMTP id w7so516132lbi.10 for ; Tue, 24 Feb 2015 16:43:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jDLQPB3HwcuU6SgMRPeOyUF+QC5e3dP5UfPwLXsQmNY=; b=jvChAeQrkn6sknsSFh2idTGo2AtJRcftRnw41C9VgeqGECyxk+E8Re6OBW1cqfq5rT nespGySEA7IngU5mZSyAsAg4o1N+HL9h16m7F3ukdbnaLy5aYnH5g8cjOlL9jdtvfyKC /RJB78I3dBHR7Ll2QZqviby860TwWLXlDXQAx0Gh9P3pvIT9DJavo+z39qZxkSICN/It WEw2JJsHNLD+sXIWVKA8jkoxd5FTWOZnZhdRZA4GS87RpCCp6ywBYa9cQyIB2820DSGD FdrcsiiCccMJ5Xn0mZ3stbxhD2m+XbNkW1SMUdYFtpt5cQ2FD3qmdGRc3pEJ8+bSdS4x dzNw== MIME-Version: 1.0 X-Received: by 10.112.155.168 with SMTP id vx8mr480503lbb.110.1424825012029; Tue, 24 Feb 2015 16:43:32 -0800 (PST) Received: by 10.112.154.229 with HTTP; Tue, 24 Feb 2015 16:43:31 -0800 (PST) In-Reply-To: References: <54ECD4E3.9040705@gmail.com> <54ECF605.7030506@gmail.com> Date: Wed, 25 Feb 2015 00:43:31 +0000 Message-ID: To: Dan Ackroyd Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e01176fa1b590b1050fdeecbb Subject: Re: [PHP-DEV] [RFC] Script only include/require From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) --089e01176fa1b590b1050fdeecbb Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Dan On Wednesday, February 25, 2015, Dan Ackroyd wrote= : > On 25 February 2015 at 00:09, P=C3=A1draic Brady > wrote: > > > > Your example omitted the image validation step which would have > > noticed your attempt to upload a phar immediately. Add that and try > > again. > > Image validation is no defense against this type of attack: > > > http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-wr= itten-in-php-and-carried-in-a-jpeg-image/ > > As soon as you have any possibility of including a file uploaded by an > attacker, you are probably going to lose. > > That was indeed my point as Yasuo has already explained earlier. Image validation would however see a phar a mile off. Paddy --=20 -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team Zend Framework PHP-FIG Representative --089e01176fa1b590b1050fdeecbb--