Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83744
Return-Path: <ingwie2000@googlemail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55881 invoked from network); 25 Feb 2015 08:19:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Feb 2015 08:19:06 -0000
Authentication-Results: pb1.pair.com smtp.mail=ingwie2000@googlemail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ingwie2000@googlemail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain googlemail.com designates 209.85.212.173 as permitted sender)
X-PHP-List-Original-Sender: ingwie2000@googlemail.com
X-Host-Fingerprint: 209.85.212.173 mail-wi0-f173.google.com  
Received: from [209.85.212.173] ([209.85.212.173:44733] helo=mail-wi0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0B/23-32189-9758DE45 for <internals@lists.php.net>; Wed, 25 Feb 2015 03:19:06 -0500
Received: by mail-wi0-f173.google.com with SMTP id bs8so31399722wib.0
        for <internals@lists.php.net>; Wed, 25 Feb 2015 00:19:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20120113;
        h=content-type:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=NpDbJvD79IyceyoBTnfmKS9uFJp841CnXzJJmnauw8c=;
        b=y6vyQKeQecFlqV79BKL6oclNoT6aWpuk0M4aXGr7OlAGiRWPV5+Gku1fMb2ZpMSXcp
         SI48rESqJO95U6HqzCyFwoTcjt7xpngMSsvlGA8xMcqgtJDVm0eKfaLEQO1dnRh3IpoW
         MMHCR4kRJ4IsU7F/XiyyFH/QzbsIDvv9oKrRGBzU4V/9wO3LBHCYXE82lSekGIdSjKZi
         /FpdWwFCLUEWX7rkkQDMtUVJJ3HegMiEejP/mVgMf+X5JN557dH6vd8Fmo6B9Qrt7bVe
         w705kPTRbCftAvXWBW26ugTm0UUX9HKDRhoJddEYrGvzhXQOQndcwdhA6ihBvmkJtGVo
         ikUA==
X-Received: by 10.194.63.230 with SMTP id j6mr3720151wjs.31.1424852342614;
        Wed, 25 Feb 2015 00:19:02 -0800 (PST)
Received: from [192.168.200.47] (dslb-094-219-067-122.094.219.pools.vodafone-ip.de. [94.219.67.122])
        by mx.google.com with ESMTPSA id u16sm24502656wjr.5.2015.02.25.00.19.00
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Wed, 25 Feb 2015 00:19:01 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
In-Reply-To: <54ED5648.1020907@gmail.com>
Date: Wed, 25 Feb 2015 09:18:59 +0100
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 =?utf-8?Q?P=C3=A1draic_Brady?= <padraic.brady@gmail.com>,
 "internals@lists.php.net" <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <0369AE4C-7676-408C-8A6F-16C975588ED5@googlemail.com>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com> <CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com> <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com> <CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com> <54ECD4E3.9040705@gmail.com> <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com> <CAGa2bXZV1FOaW5mJqx2yw7WQz0prp1zfEgdEw99StbWPgDFUwg@mail.gmail.com> <54ECFAA8.4020305@gmail.com> <CAGa2bXZ373PGrJtpmgLje3obzGcXQs5sND=8TzyuKac+hZ--Fg@mail.gmail.com> <54ED085C.8010901@gmail.com> <CAGa2bXYDGXu3coifbAdLUqE=1qPEJb4RnC_-vWctcrFirc-S6Q@mail.gmail.com> <54ED1CE2.9060903@gmail.com> <CAGa2bXaKG3p02Y0X22NP7W=qdO7N4pq8ikqNoF7xm0vUBzMmbg@mail.gmail.com> <54ED3F2F.7050203@gmail.com> <CAGa2bXYsG4fcVL3o_sbpXehL7=3SJ5jdMuPnNe8Sn4f_a1H_XA@mail.gmail.com> <54ED5648.1020907@gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
X-Mailer: Apple Mail (2.1993)
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: ingwie2000@googlemail.com ("Kevin Ingwersen (Ingwie Phoenix)")

Here are my cents to this RFC, as it just keeps popping in in my inbox =
and its beginning to be one that I wish I could ignore.

First, =E2=80=A6 file extensions? A default Apache configuration and =
some Nginx configurations actually accept more than one file extension. =
This RFC does not include any way to specify a variety of extensions =
that should be blocked, ignored or treated else.

Your PHP code is only so secure as you make it. If you are in need for =
such an RFC just to block a few =E2=80=9Erare cases=E2=80=9C, then I =
would rather suggest you to either check your source or hand it to a =
professional to get it counter-checked.

Besides of that, it is never a good idea to let a user upload =
/everything/ that they want to. A proper MIME-type check can be helpful =
in these scenarios.

Again, I would not vote for the RFC and I do not think positive about =
it, since I see it very unnecessary.

Thus, if an attacker really wants to get into your business, they have =
more than one way to do so - for instance, exploiting the web server =
itself.

Kind regards,
Ingwie

> Am 25.02.2015 um 05:57 schrieb Stanislav Malyshev =
<smalyshev@gmail.com>:
>=20
> Hi!
>=20
>> I have to at least php://=20
>> php://input or php://stdin=20
>> allows attacker script execution via POST if it's allowed
>> by allow_url_include=3DOn.
>=20
> allow_url_include=3DOn means it's allowed. That's what "on" setting is
> for. Production setting should always be "off".
> --=20
> Stas Malyshev
> smalyshev@gmail.com
>=20
> --=20
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>=20