Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83728 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 9757 invoked from network); 25 Feb 2015 00:53:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Feb 2015 00:53:23 -0000 Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.175 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.217.175 mail-lb0-f175.google.com Received: from [209.85.217.175] ([209.85.217.175:35410] helo=mail-lb0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 33/40-24698-30D1DE45 for ; Tue, 24 Feb 2015 19:53:23 -0500 Received: by lbjb6 with SMTP id b6so615578lbj.2 for ; Tue, 24 Feb 2015 16:53:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=AUOY6FcMgOT5i7cSgECMuxinSIcoZma5eEAPp+XyHt4=; b=Snbyq6mPALMF2VEl98F7Vx8RzNZX5khywkVRVNkRbsmsGKxvx6aRD+y82axVwpCVYZ AN+lHR24pm5dwS93eGlFbLUXGJrD3ckmY0EtfYUZ5LH0e9/XKJLENf+VwR0dMHGe6yZ6 mAz2OLG9jedV//bxI74KZdl6WhsB5tOa5aSMIe3fLmUVodLUAwOeb1NnxBe0kuXvSZ8I KVr4gcZv4oW9k3Wm6AC0R4Ia0yvr+kU0td7YbfjuIx8sa/qBwocRRpPliwjPY+zcjGeG k0E6ioNGnyQD0gnJ9n83vP9p2QU7khvKQYav+1ufpPqV6Xo0bI06BpN8PbaXy3brWUiZ OQNA== MIME-Version: 1.0 X-Received: by 10.112.198.66 with SMTP id ja2mr458357lbc.39.1424825600150; Tue, 24 Feb 2015 16:53:20 -0800 (PST) Received: by 10.112.154.229 with HTTP; Tue, 24 Feb 2015 16:53:20 -0800 (PST) In-Reply-To: <54ED160B.9010908@gmail.com> References: <54ECD4E3.9040705@gmail.com> <54ECF605.7030506@gmail.com> <54ED160B.9010908@gmail.com> Date: Wed, 25 Feb 2015 00:53:20 +0000 Message-ID: To: Stanislav Malyshev Cc: Dmitry Stogov , Yasuo Ohgaki , "internals@lists.php.net" , Nikita Popov Content-Type: multipart/alternative; boundary=001a11c34010c39426050fdf0fdc Subject: Re: [PHP-DEV] [RFC] Script only include/require From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) --001a11c34010c39426050fdf0fdc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi On Wednesday, February 25, 2015, Stanislav Malyshev wrote: > Hi! > > > Your example omitted the image validation step which would have > > Ah, right, and if I name it .zip, it'd be zip validation, and if I name > it .pdf it'd be pdf validation, and if I name it .lol that would be LOL > validation. You'd have to manually validate every type in existence and > somehow invent validation for unknown ones. And it's not like I can't > also make it a valid GIF/PDF/whatever - that has been done already. So > you support this "security measure" by saying you can maybe plug the > hole using other measures. Maybe you can, maybe (more probably) not but > that does not redeem the insecurity of this "security measure". Well, you fire those right over and then we'll have a debate worth having ;). > > again. It's not very fair to create a scenario with a total lack of > > any security, and then ignore that your code's problem is that gaping > > hole and NOT the minor extension filter on the far end. > > But that is *exactly* what this RFC is doing! The gaping security hole > is include $argv[1] and that's where it should be fixed, not introducing > temporary patches that prevent 1% of the scenarios and can be overridden > within minutes. RFC does not target invalidated uploads. For heavens sake, it's a defense in depth measure not a sentient AI! > I don't see how it is not fair since the *only* scenario where it is > useful is when your code *already* has the gaping security hole, > otherwise this RFC has no utility as your includes are controlled by you > so they already are php files. > That is not true! The lack of validation is one of degrees. You are speaking in absolutes and ignoring partial effectiveness. Your example had ZERO validation. Yasuo's clearly targeted successful validation of an image. Not none at all. > > indeed be preventable by his RFC. Please stick to what the RFC > > actually claims to do. > > It claims to protect from file inclusion, by only allowing for include > to operate on strings which end in .php, and then banning such files > (ending in .php) from being handled by move_uploaded_file(). As I > demonstrated (and this is I suspect not the only option) this does not > actually offer any protection from LFI/RCE, as the end of the string > given to include and the file on disk do not have to be the same. In my > eyes, mechanism with such big BC break potential that is overridden in > so trivial manner has little value. > No it doesn't! You are misrepresenting this RFC as a magic wand. That is not the case and it is extremely frustrating to see you persist on this. Read my emails and read Yasuo's and then Dan's. Then we can have some sort of intelligible discussion. Paddy --=20 -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team Zend Framework PHP-FIG Representative --001a11c34010c39426050fdf0fdc--