Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83729 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 12100 invoked from network); 25 Feb 2015 00:59:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Feb 2015 00:59:53 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.53 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.53 mail-qa0-f53.google.com Received: from [209.85.216.53] ([209.85.216.53:50912] helo=mail-qa0-f53.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C8/C0-24698-78E1DE45 for ; Tue, 24 Feb 2015 19:59:52 -0500 Received: by mail-qa0-f53.google.com with SMTP id k15so474905qaq.12 for ; Tue, 24 Feb 2015 16:59:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Stjw0qhC3dkJMVTgU2K51gV6eRvMtx7Yq88LRi5Fe/8=; b=lR4RSIjKuVHYUgPFtymAS+sqO/HFw4zy9avDUMWdm2GOkwJgml/VtSXGmCFXmrw7PD 8HiT+4Do7MnxwaqU4hLI06GIbwdrNeS8BdnxoRmkms8P0X2hH21T+EstE7veh9B82Cf3 XDTC0ppFCpZMVVrBtXhaGimL8Qsoe2J1P159B9duDFBQWMWLdyvq1LSKf1q/ccFzjhuz PqvvsxeJc9LkYZvBT11VCSdQFvYduhviQ7d+fendiL6rpLXjNV/wVap34COzbTblrgrc n+ThjFaBhtKUnvMPAvqvL3U0XruGakTyHHkv1xqckQlQRjfunvkYozsElNFlX3BqxzGQ 39gw== X-Received: by 10.140.108.66 with SMTP id i60mr1280270qgf.73.1424825989263; Tue, 24 Feb 2015 16:59:49 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.198.8 with HTTP; Tue, 24 Feb 2015 16:59:08 -0800 (PST) In-Reply-To: <54ED1CE2.9060903@gmail.com> References: <54ECD4E3.9040705@gmail.com> <54ECFAA8.4020305@gmail.com> <54ED085C.8010901@gmail.com> <54ED1CE2.9060903@gmail.com> Date: Wed, 25 Feb 2015 09:59:08 +0900 X-Google-Sender-Auth: oavR8T0glOK60woHVuLRnyuUHps Message-ID: To: Stanislav Malyshev Cc: =?UTF-8?Q?P=C3=A1draic_Brady?= , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11392386f4f602050fdf26ab Subject: Re: [PHP-DEV] [RFC] Script only include/require From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11392386f4f602050fdf26ab Content-Type: text/plain; charset=UTF-8 Hi Stas, On Wed, Feb 25, 2015 at 9:52 AM, Stanislav Malyshev wrote: > > - require/include only includes ".php" ".phar" by default. > > This is not true. As I repeatedly point out, your change only requires > that the string passed to include would end in .php, but string passed > to include and filename on filesystem are very different things, they do > not have to be the same at all! > > > - move_uplaoded_file() only move files other than ".php", ".phar" > > extension by default. > > > > This makes "script inclusion" attack much harder. In fact, this RFC > > makes almost > > impossible attackers to take advantage of PHP's embed everything nature. > > I am at loss how you can claim it is "impossible" after I just > demonstrated how it is possible. > > > For users do not need these protections, they can simply add one liner. > > > > ini_set('zend.script_extensions', ''); > > > > This piece of code is executed for all PHP version without any errors. > > You sincerely do not understand why breaking all code that uses non-php > extensions is a problem and that editing existing production code's > entry points is by no way "simple"? That finding all extensions that may > be used for files in a complex software is very far from "simple"? > > > Unlike previous RFC, this RFC patch does not care "contents" of file, but > > only cares file "extensions". However, it works well as described before. > > It doesn't work well - in fact, it does not work at all, as I just > demonstrated, exactly because extension of the actual file and what > you're checking are different things. > > > Even with this RFC, users can shoot their own foot and PHP is much easier > > to do it wrong compare to other languages. > > These platitudes do not change the simple fact that your RFC does not do > what it claims to do, security-wise. > > > However, if users use new PHP by default setting, PHP is as safe as > > other languages against script inclusion/upload attacks. Since we have > > move_uploaded_file() protection, PHP becomes safer than others. > > No, it does not become safer, because if you have code that allows > script inclusion injection (and if you do, it's your fault, not PHP's) > it is trivial to exploit it even with this RFC. > > > - require/include cannot load script other than ".php"/".phar". > > As I showed, this is not true. I am kind of tired of repeating the same > thing again and again and being completely ignored, so unless there's > some new argument I'll stop repeating myself now. I think you misunderstood the RFC. You seems forgetting about "allow_url_include=Off" by default. Are you saying current PHP allows include('zip://...') or include('input://...')? Then this is serious bug. I'll fix it also. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11392386f4f602050fdf26ab--