Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83843
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 76002 invoked from network); 25 Feb 2015 23:08:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Feb 2015 23:08:05 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.49 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.192.49 mail-qg0-f49.google.com  
Received: from [209.85.192.49] ([209.85.192.49:55972] helo=mail-qg0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 03/88-34010-3D55EE45 for <internals@lists.php.net>; Wed, 25 Feb 2015 18:08:03 -0500
Received: by mail-qg0-f49.google.com with SMTP id q107so5797684qgd.8
        for <internals@lists.php.net>; Wed, 25 Feb 2015 15:08:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=8Yzbi86OuZEgZLdasEeQ5jvUBAvYHTNgWMRdWCc8w/Q=;
        b=0YdWApF1uCBcE4cYHW2GEtuKBbTH9Hzkwkv7C5IPeRRYpBEWF9yELhs44cNU0ZXl/W
         vefoI2Gj1Qj+z1EO7W+Kb4kanYfOV693+vSiJu/nCPHzRG4LtR86Sa8HHnKfpc6QNajs
         XkLuASLL8xEHFNV3vxQXUKWlN8gkkiNZyt852uw9//eSGp97ZfhlVDpk9shYJOdi2eqa
         NJ34OeiHRI1Jk+v7OTOen8UmWJhiML+WwfXZfpn0ysxF/MGtl+jhfwz+ZoSqWvlyy64S
         VTsNgnllAC1WfoIFS0tpCXC2Fpuv7ZBDdChwXpzg7BhlNn0YObDzvWPKb8Pv48CA6zg7
         i9eA==
X-Received: by 10.140.37.39 with SMTP id q36mr11641784qgq.18.1424905680387;
 Wed, 25 Feb 2015 15:08:00 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Wed, 25 Feb 2015 15:07:20 -0800 (PST)
In-Reply-To: <54EE50CF.9090508@gmail.com>
References: <CAGa2bXbt9FAdRtW1GxDyT+G-4bWBACTso_DOizcSHmmgmSVtmA@mail.gmail.com>
 <CAGa2bXb5QEKOggRbUnmVHuib=P_tJ9_W+QyMa_SCpc7RmSCgSA@mail.gmail.com> <54EE50CF.9090508@gmail.com>
Date: Thu, 26 Feb 2015 08:07:20 +0900
X-Google-Sender-Auth: A2sY0Wc57UDm3qjQ5IdyeJAeziE
Message-ID: <CAGa2bXaHNLzuW8+DUU163k1V2wXuyrLLgbqX7gfjjrxtJK077A@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c13bfceb0bfb050ff1b417
Subject: Re: [RFC][VOTE] Introduce script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c13bfceb0bfb050ff1b417
Content-Type: text/plain; charset=UTF-8

Hi Stas,

Thank you for your reply. I understand your view, yet I thought
it's better to share your view with all of us.

On Thu, Feb 26, 2015 at 7:46 AM, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> > I saw you voted "no".
> > Could you share us the reason behind?
>
> I think I did, in my past messages to the list, but maybe I was not
> clear. I will repeat in short:
>
> 1. I think this RFC does not provide any security improvement, due to
> extreme ease with which the measures in this RFC can be circumvented by
> the attacker.
>

It's secure by default. This RFC protects programs even with most obvious
mistakes like include($_GET['var']);. Since this RFC is simple, there is no
space is left being circumvented by attackers.

2. I think this RFC provides false sense of security for people that
> create vulnerable code and lets them think it's OK to have variable
> includes without adequate safety, since they are "protected" by these
> changes.
>

This is not true. No security standards/guidelines discourage input
validations
regardless of protections existence. We already have NULL byte prevention
and
URI restriction for include/require, these mitigations neither promote
false sense
of security as all of these are "defense in depth".

Besides, the protection can be disabled easily. Smart developers will never
rely on it.

3. I think it causes significant BC break which might be warranted in
> case it provides major improvement in security, but IMO in the light of
> the above it does not provide even minor one.
>

BC is minor. Users can disable protections in various ways while
vulnerability
addressed by this RFC is the most fatal vulnerability. (Arbitrarily code
execution
is the most fatal)

This is why I vote no and call everybody to do the same.


We have simple and effective counter measure proposal against fatal
security breach.
Your reasons are not fatal reason to reject this. It could be hardly a
logical choice. IMHO.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c13bfceb0bfb050ff1b417--