Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83842
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 74210 invoked from network); 25 Feb 2015 23:04:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Feb 2015 23:04:06 -0000
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.176 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.160.176 mail-yk0-f176.google.com  
Received: from [209.85.160.176] ([209.85.160.176:45934] helo=mail-yk0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 99/18-34010-5E45EE45 for <internals@lists.php.net>; Wed, 25 Feb 2015 18:04:05 -0500
Received: by ykr200 with SMTP id 200so2396669ykr.12
        for <internals@lists.php.net>; Wed, 25 Feb 2015 15:04:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=w2+kD2YgbmEgomC8M9WV+gyu/7L2roFtbJ6sqMkV9QQ=;
        b=CR62/OlOgkCjzKHRU0RJ0yV2SdPegSzMC0pg7V4QD5f0RznUbIL/4DubnGajpB+8Zw
         121t/hFXwVPrKpuZWYRvSsCC123EDHG7d0qYXRnnXqSJiokrjGU2KGfFbjge1M9PHH8N
         2Ut+IyxkNJkeuFXG+uPAsBlYAg41jURFcQ3ARlP7qIblH1yAeKBak2TsvvewTZmbrAk5
         XPXp1c4C54CCF7ZVcUk0gjllQz8dfnoy60LoqdY0Y+/IQE5lk691ZLMCu3K+JEiMI7At
         I5lR4E0zN5MVxifBv3W9PDqhl/zUDzoRTvR3Lo02ta1U86lPFmL1f7Im7O+GthZqfSpB
         xwzg==
MIME-Version: 1.0
X-Received: by 10.236.227.198 with SMTP id d66mr5189476yhq.147.1424905442460;
 Wed, 25 Feb 2015 15:04:02 -0800 (PST)
Received: by 10.170.222.86 with HTTP; Wed, 25 Feb 2015 15:04:02 -0800 (PST)
In-Reply-To: <54EE50CF.9090508@gmail.com>
References: <CAGa2bXbt9FAdRtW1GxDyT+G-4bWBACTso_DOizcSHmmgmSVtmA@mail.gmail.com>
	<CAGa2bXb5QEKOggRbUnmVHuib=P_tJ9_W+QyMa_SCpc7RmSCgSA@mail.gmail.com>
	<54EE50CF.9090508@gmail.com>
Date: Wed, 25 Feb 2015 23:04:02 +0000
Message-ID: <CALwr1GmoAxfbKvJYVLeL3wPXEKKbu1jKGkTFcG0KQ_Ogx172sA@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require
From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=)

Hi Stanislav,

On 25 February 2015 at 22:46, Stanislav Malyshev <smalyshev@gmail.com> wrot=
e:
> Hi!
>
>> I saw you voted "no".
>> Could you share us the reason behind?
>
> I think I did, in my past messages to the list, but maybe I was not
> clear. I will repeat in short:
>
> 1. I think this RFC does not provide any security improvement, due to
> extreme ease with which the measures in this RFC can be circumvented by
> the attacker.

All of which you demonstrated by ignoring the example provided showing
what it mitigates, and creating your own example where no file
validation was executed. A case that the RFC was in no way designed to
prevent. You basically created a non-existing benefit, proved that the
non-existing benefit did not exist, and that is apparently your
reason.

Surprise. TRUE =3D=3D=3D TRUE.

I asked you back in a previous response to locate an example for which
the RFC was designed to prevent that would fail. That would have had
significant value to the discussion. I take it you found none.

> 2. I think this RFC provides false sense of security for people that
> create vulnerable code and lets them think it's OK to have variable
> includes without adequate safety, since they are "protected" by these
> changes.

RFC does not claim any such protection. RFC does not, therefore, offer
such protection. RFC will not be documented as offering any such
protection.

But fine, users will magically make false assumptions that need to
stop validating files and fielding variables before they hit include.

> 3. I think it causes significant BC break which might be warranted in
> case it provides major improvement in security, but IMO in the light of

A BC break targeting a major PHP version. Which can be configured
flexibly for those who need it, like Drupal.

As documented in the RFC.

> the above it does not provide even minor one.
>
> This is why I vote no and call everybody to do the same.

You keep ignoring that minor flaw in your claim where it does actually
provide a benefit in blocking PHP bearing JPEGs as one example
mentioned several times.

Is there some sort of meter on Internals where, in the red, there is
an obligation to fill it back up with FUD, logical fallacies and the
occasional fib?

Paddy

--
P=C3=A1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com