Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83738
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34216 invoked from network); 25 Feb 2015 04:40:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Feb 2015 04:40:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.42 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.192.42 mail-qg0-f42.google.com  
Received: from [209.85.192.42] ([209.85.192.42:35474] helo=mail-qg0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 18/50-32189-6425DE45 for <internals@lists.php.net>; Tue, 24 Feb 2015 23:40:39 -0500
Received: by mail-qg0-f42.google.com with SMTP id z107so1262359qgd.1
        for <internals@lists.php.net>; Tue, 24 Feb 2015 20:40:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=7LFQ1T5Y8GAEgcd3NUClGFEhv1oXlqcHyrqVSBmZn5k=;
        b=onGZUyNsW0FeDj050CaHJXhPEXPWmJq4pKkeFPfFxPOJDnWOn26CshBJnri/7H7/XU
         SohwdNF2wkZyGyUMfhwAJgy/7UhO7opcUtj8jMo/17hUMDtWWXB/oNnyNfplaVOPC5yY
         S+pih815AoHyoiPqn7O5aHFDqXMIbfVSHueB10kunSjf+ZlhsfRENXct2Tgw8Z2dd2mv
         9p394wMHXgHaAcaMxzMOYmeiRcIG+TN1HOLHfds8NJ9yWyAQSEbGMSG7qsel676lpfdI
         QGB38HWVKZJ0iNsEvJ3c/yMKEQwkmFcSRcrz3QHNqwtlpkeIhCFXQHvhV5ZT1rWVVKDc
         rXnA==
X-Received: by 10.229.197.134 with SMTP id ek6mr3198074qcb.21.1424839235431;
 Tue, 24 Feb 2015 20:40:35 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Tue, 24 Feb 2015 20:39:55 -0800 (PST)
In-Reply-To: <54ED3F2F.7050203@gmail.com>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com>
 <CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com>
 <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
 <CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com>
 <54ECD4E3.9040705@gmail.com> <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com>
 <CAGa2bXZV1FOaW5mJqx2yw7WQz0prp1zfEgdEw99StbWPgDFUwg@mail.gmail.com>
 <54ECFAA8.4020305@gmail.com> <CAGa2bXZ373PGrJtpmgLje3obzGcXQs5sND=8TzyuKac+hZ--Fg@mail.gmail.com>
 <54ED085C.8010901@gmail.com> <CAGa2bXYDGXu3coifbAdLUqE=1qPEJb4RnC_-vWctcrFirc-S6Q@mail.gmail.com>
 <54ED1CE2.9060903@gmail.com> <CAGa2bXaKG3p02Y0X22NP7W=qdO7N4pq8ikqNoF7xm0vUBzMmbg@mail.gmail.com>
 <54ED3F2F.7050203@gmail.com>
Date: Wed, 25 Feb 2015 13:39:55 +0900
X-Google-Sender-Auth: XcRe-hLkY3hFuY_kE-RwMgr57PE
Message-ID: <CAGa2bXYsG4fcVL3o_sbpXehL7=3SJ5jdMuPnNe8Sn4f_a1H_XA@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: =?UTF-8?Q?P=C3=A1draic_Brady?= <padraic.brady@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c247aa7d71d9050fe23cf5
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c247aa7d71d9050fe23cf5
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Wed, Feb 25, 2015 at 12:19 PM, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> > Are you saying current PHP allows
> > include('zip://...') or include('input://...')?
>
> Neither zip not phar are classified as url handlers. Both have is_url to 0.
>
> > Then this is serious bug. I'll fix it also.
>
> This would be another big BC break, as this would mean you can not use
> phar streams with allow_url_fopen set to off. Please don't change that,
> there's reason for these settings.


I have to at least php://
php://input or php://stdin
allows attacker script execution via POST if it's allowed
by allow_url_include=On.

[yohgaki@dev php-src]$ php -d allow_url_include=On -r
'include("php://input");' 2> /dev/null
[yohgaki@dev php-src]$

No errors. It seems we are better to fix this even with this RFC. Default
setting for web SAPI
prevents attack, but it can be disabled.

Other than this, it seems it's working as it should. (allow_url_include=Off)

[yohgaki@dev php-src]$ php -r 'include("php://input");' 2> /dev/null
Warning: include(php://input): failed to open stream: operation failed in
Command line code on line 1
Warning: include(): Failed opening 'php://input' for inclusion
(include_path='.:/usr/share/pear:/usr/share/php') in Command line code on
line 1

[yohgaki@dev php-src]$ php -r 'include("http://php.net");' 2> /dev/null
Warning: include(): http:// wrapper is disabled in the server configuration
by allow_url_include=0 in Command line code on line 1
Warning: include(http://php.net): failed to open stream: no suitable
wrapper could be found in Command line code on line 1
Warning: include(): Failed opening 'http://php.net' for inclusion
(include_path='.:/usr/share/pear:/usr/share/php') in Command line code on
line 1


Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c247aa7d71d9050fe23cf5--