Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83726 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 6425 invoked from network); 25 Feb 2015 00:50:32 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Feb 2015 00:50:32 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.47 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.47 mail-qg0-f47.google.com Received: from [209.85.192.47] ([209.85.192.47:59616] helo=mail-qg0-f47.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id ED/7F-24698-75C1DE45 for ; Tue, 24 Feb 2015 19:50:31 -0500 Received: by mail-qg0-f47.google.com with SMTP id q107so543180qgd.6 for ; Tue, 24 Feb 2015 16:50:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=x1/ZYpw1h5jPurscENuatT3BJxUAdOpYS0Nf/RkMaPM=; b=x/I1goJDr8PBGyYQeNfXlQu/Kp96ExV67i33QHLRYlYQ9lIfvnHKnGzvqVmhdJfnHc aWsM7V+z+I+orcRffN2Zt3iIyUssgYwSHP5opY2flnDoEQBzcxMgvDFbXZa6VdpwcJrC gXkuBsaonmpprZvldyNEaxXxA4Le9BvRtm5tR2+as0gCF2A2XWnT4RDmWwPzDfVhxFgO Bu3RUf1kEZzHIK468rL16IMkm6GCjRql98Djm8yLMFeDuHMgT3TC2/I8EpkyvnyXi2fG wO7RawLhNqhv0UpDHSmWck47nqKUvqYeS+Wj/dv6zLZJuO5/ecewunk7p43wXQMfz7Kk q82Q== X-Received: by 10.140.152.2 with SMTP id 2mr1634159qhy.16.1424825427992; Tue, 24 Feb 2015 16:50:27 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.198.8 with HTTP; Tue, 24 Feb 2015 16:49:47 -0800 (PST) In-Reply-To: References: <54ECD4E3.9040705@gmail.com> <54ECF605.7030506@gmail.com> Date: Wed, 25 Feb 2015 09:49:47 +0900 X-Google-Sender-Auth: l5y1IDdMFdlyMSuAZxvlOBiXGl8 Message-ID: To: Dan Ackroyd Cc: =?UTF-8?Q?P=C3=A1draic_Brady?= , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1135a3dc80a632050fdf0522 Subject: Re: [PHP-DEV] [RFC] Script only include/require From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1135a3dc80a632050fdf0522 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Dan, On Wed, Feb 25, 2015 at 9:38 AM, Dan Ackroyd wrote= : > On 25 February 2015 at 00:09, P=C3=A1draic Brady > wrote: > > > > Your example omitted the image validation step which would have > > noticed your attempt to upload a phar immediately. Add that and try > > again. > > Image validation is no defense against this type of attack: > > > http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-wr= itten-in-php-and-carried-in-a-jpeg-image/ > > As soon as you have any possibility of including a file uploaded by an > attacker, you are probably going to lose. I know, and Padraic knows also, attacker can make image file that cannot remove "embedded PHP script" even with image resize. Even tool called "Image Fight" exists to fight against PHP script embedded images. I proposed to include/require to load specific file extensions, but I've got many objections for the idea. Therefore, I've tried to "detect" embedde= d "PHP script". However, it's complex and I cannot make sure there isn't embedded "PHP script" in a file. Current RFC is based on the original idea with additional move_uploaded_file() protection. It works well for the objective. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1135a3dc80a632050fdf0522--