Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83755 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 79510 invoked from network); 25 Feb 2015 09:52:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Feb 2015 09:52:36 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.178 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.178 mail-qc0-f178.google.com Received: from [209.85.216.178] ([209.85.216.178:42863] helo=mail-qc0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BD/83-62407-26B9DE45 for ; Wed, 25 Feb 2015 04:52:35 -0500 Received: by qcvp6 with SMTP id p6so1978389qcv.9 for ; Wed, 25 Feb 2015 01:52:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=E+oh5tsvOrdF8s6DXfh/DDkcuUrDwQ3KQ2a1rl4jeP4=; b=HQLzZTTS9NqWMqZBEVgN4XypobqKtn/uieUg0QOrK56Evo5MsVPsI+rDRAtQ1vO7q+ 24ceHxyaxj1AD0AmMBuMUz7X5z1XGnOaUZQSnhMeY5iBewl55VVgDjXgITspIyGtcQNW NILptW714oij0BPT6EYBhfAsTcplnyjiGleGMvjy7IrHjOT5scxCi4uXozpscR1yyeR9 QzQFvN9z6HOJ/X9DMi2G96OufqSz+0YypRf6dR4ncdKiv5ue/mU/x1eY1anEBGj+/LMo YZrhNjs3QTz05l9INWJ7wgcMpLI/ganqqxnLgNpqeN8a1VjdkkOlCHLg9YHAiPuLIWs3 hj6g== X-Received: by 10.140.131.9 with SMTP id 9mr5110427qhd.59.1424857952218; Wed, 25 Feb 2015 01:52:32 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.198.8 with HTTP; Wed, 25 Feb 2015 01:51:52 -0800 (PST) In-Reply-To: References: <54ECD4E3.9040705@gmail.com> <54ECFAA8.4020305@gmail.com> <54ED085C.8010901@gmail.com> <54ED1CE2.9060903@gmail.com> <54ED3F2F.7050203@gmail.com> <54ED5648.1020907@gmail.com> <0369AE4C-7676-408C-8A6F-16C975588ED5@googlemail.com> Date: Wed, 25 Feb 2015 18:51:52 +0900 X-Google-Sender-Auth: 65WVQuVPfk-gbCEZsGwgH0ZczOk Message-ID: To: "Kevin Ingwersen (Ingwie Phoenix)" Cc: Stanislav Malyshev , =?UTF-8?Q?P=C3=A1draic_Brady?= , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1135162a18f41b050fe69800 Subject: Re: [PHP-DEV] [RFC] Script only include/require From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1135162a18f41b050fe69800 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Kevin, On Wed, Feb 25, 2015 at 6:08 PM, Yasuo Ohgaki wrote: > Your PHP code is only so secure as you make it. If you are in need for >> such an RFC just to block a few =E2=80=9Erare cases=E2=80=9C, then I wou= ld rather suggest >> you to either check your source or hand it to a professional to get it >> counter-checked. >> >> Besides of that, it is never a good idea to let a user upload >> /everything/ that they want to. A proper MIME-type check can be helpful = in >> these scenarios. >> > > MIME-type check cannot help at all as it does not guarantee no embedded > PHP scripts in it. > Even image resize nor removing exif info cannot help. > One more comment for this. Do you know Ruby and Perl could be vulnerable to script inclusion if simple image validation is used and there is script inclusion vulnerable code? I'm not going to write how it could be done, because this is not a security list. Script inclusion can be done via image just like PHP with Ruby and PERL, ye= t Ruby and PERL does not have vulnerable apps unlike PHP. Why? Because it's much harder to attack with Ruby/PERL. Please read https://wiki.php.net/rfc/script_only_include#do_not_see_how_this_rfc_preven= t_script_inclusion_attacks this and if you ever see fatal issue, please let me know. Thank you. -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1135162a18f41b050fe69800--