Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83750
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67384 invoked from network); 25 Feb 2015 09:15:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Feb 2015 09:15:17 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.179 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.179 mail-qc0-f179.google.com  
Received: from [209.85.216.179] ([209.85.216.179:46797] helo=mail-qc0-f179.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 83/01-62407-4A29DE45 for <internals@lists.php.net>; Wed, 25 Feb 2015 04:15:17 -0500
Received: by qcxr5 with SMTP id r5so1840803qcx.13
        for <internals@lists.php.net>; Wed, 25 Feb 2015 01:15:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=UeQ1LYcDcUwmP3luJ2NLInrl7j/LGvZERlwIO3BFzVg=;
        b=bDqzIHmDo5msosWDcYIgl5DY8aVfe8gF+Cx0oySYtxtw8zwU5SWJljs6pgfjgUs0co
         RSZdikJoRleYJf1ScY1D3syG+5wXaDsQldmP7SkCe6Pl1JLBGXEQ3XfwJqQOss9wVI7g
         8XPur/q+qNutpm3dozfZjy8M2FxdT3TCaFBFTzDx6zKOghW+UXKu2FRx1yM7T331HC6F
         fAC9Y7iN9hzgCh07abX/JGs4lyPb8jVRifE1vIZHjM7B+17BHo4TYTGKvbyrtcrmATjJ
         3nYSftseqGJ1iArp06pBe9aEWeE08HHq81dTqDsFDGxfamfypHQG8vqYBOnhw+rGJxB/
         cA9Q==
X-Received: by 10.140.42.130 with SMTP id c2mr4548349qga.105.1424855713571;
 Wed, 25 Feb 2015 01:15:13 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Wed, 25 Feb 2015 01:14:33 -0800 (PST)
In-Reply-To: <54ED8E9F.80803@lsces.co.uk>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com>
 <CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com>
 <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
 <CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com>
 <54ECD4E3.9040705@gmail.com> <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com>
 <54ECF605.7030506@gmail.com> <CALwr1GkU_mumpp-34Pp=gKwZzL3KVEW7JpEnqC5MMtcgM_qEbA@mail.gmail.com>
 <CA+kxMuT-jQaT9xyk9dmONdpTz-h0LfWcvu_-caibjvu3XmQuTw@mail.gmail.com> <54ED8E9F.80803@lsces.co.uk>
Date: Wed, 25 Feb 2015 18:14:33 +0900
X-Google-Sender-Auth: 7nsH0htehZcHaU67UmOBRoR4iSY
Message-ID: <CAGa2bXYMPE7jP3=U7Frp+D9eC_Q-CQxo6Tkh3EDrJHQk5V-aRw@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113aa7d2a9e98e050fe612fb
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a113aa7d2a9e98e050fe612fb
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi all,

On Wed, Feb 25, 2015 at 5:58 PM, Lester Caine <lester@lsces.co.uk> wrote:

> > As soon as you have any possibility of including a file uploaded by an
> > attacker, you are probably going to lose.
>
> I think that this is perhaps the key here.


I thought it's rather obvious how this RFC works, but apparently not.
I added following description to the RFC.

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Do not see how this RFC prevent script inclusion attacks

 - include*()/require*() refuse to compile/execute file extensions other
 than =E2=80=9C.php .phar=E2=80=9D by default.
 - move_uploaded_file() refuse to move PHP script. =E2=80=9C.php .phar=E2=
=80=9D is refused
by default.

With this RFC, include*()/require*() only executes files have =E2=80=9C.php=
=E2=80=9D or
=E2=80=9C.phar=E2=80=9D extension and move_uploaded_file() refuse to move u=
ploaded files
that can be executed as PHP script. Therefore, even most obvious mistake
like 'include $_GET[=E2=80=9Cvar=E2=80=9D];' will not work anymore. i.e. It=
 cannot read
files like =E2=80=9Cinclude '/etc/passwd';=E2=80=9D nor execute script like=
 =E2=80=9Cinclude
'/path/to/upload/evil_image.jpg';=E2=80=9D.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

How could this RFC loose?

I'm not trying to protects users from shooting themselves.
However, this RFC protects PHP programs from script inclusion attack
as well as file inclusion attack via include/require by default.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a113aa7d2a9e98e050fe612fb--