Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83853 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 94696 invoked from network); 26 Feb 2015 00:06:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Feb 2015 00:06:16 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.48 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.48 mail-qg0-f48.google.com Received: from [209.85.192.48] ([209.85.192.48:51877] helo=mail-qg0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 51/8C-34010-7736EE45 for ; Wed, 25 Feb 2015 19:06:15 -0500 Received: by mail-qg0-f48.google.com with SMTP id a108so6023063qge.7 for ; Wed, 25 Feb 2015 16:06:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=WuLAuEcONxov246B3EUcg1cbIQ8Xs6Ha3IwXa1IIZTo=; b=Lco6G+LRHCntIVEa5Toy3h3bqXXuEfhIjQdnMUXlFp9EUZ9cn0TmQ/WgbQm1VMDwrD KlXGFBjAtwrcNye6uUT1qgigzY0jtHGPI2hmlnJuBoiNouTGFq1/Le5yrL25J/WNyJqZ rRe32LOJwe8U61uGmQLr9xldQlk9OOjUr0a5x0pXcDoT8LqK+SsdwmyvajbL4vA84zLr cVKnAXVPuOGOk5fxOOGO1rhTmc0Cay9aLX/M/SpChf97f6DgbXuKhBFFKocbb7wZdQeG eh+9KEm0o9cs3Pps4njD7kCJW4ljyePVCIVa60mOzSrjdGUn8oY+3iv6KyWZC8ayaesc MyVg== X-Received: by 10.140.238.2 with SMTP id j2mr12575692qhc.5.1424909172893; Wed, 25 Feb 2015 16:06:12 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.198.8 with HTTP; Wed, 25 Feb 2015 16:05:32 -0800 (PST) In-Reply-To: <54EE5A39.9040401@gmail.com> References: <54EE50CF.9090508@gmail.com> <54EE5A39.9040401@gmail.com> Date: Thu, 26 Feb 2015 09:05:32 +0900 X-Google-Sender-Auth: nr_TkXeKbJvO_VvgMmyyzKGLo18 Message-ID: To: Stanislav Malyshev Cc: =?UTF-8?Q?P=C3=A1draic_Brady?= , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1135a514166bd1050ff28511 Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1135a514166bd1050ff28511 Content-Type: text/plain; charset=UTF-8 Hi Stas, On Thu, Feb 26, 2015 at 8:26 AM, Stanislav Malyshev wrote: > Padraic, I'm not really interested in another prolonged discussion, > especially where my arguments are ignored or misconstrued and then > dismissed. I have explained my opinion, if somebody has questions about > the substance of my arguments or need me to clarify my points, rather > than flat-out denial of what I am saying, they know where to find me. I > think this RFC is bad. You think it's excellent. I tried to explain my > point to you, judging by your responses, I failed to convey my meaning. > I am probably bad at this, but I'm not going to become better by > repeating the same over and over. > I'm not ignoring your discussion at all. That's why I was proposed context based protection before. It turned out context based detection does not work well at all with your discussion. So I switched back to original idea which detects filename extension. As I stated in the RFC, we have/had so many script/file inclusion vulnerabilities in past. F-Secure which is one of antivirus vendor reports image based PHP script malware is increasing! We can easily find WordPress users who were installed WebShell by attackers, for example. What I'm proposing is to introduce effective mitigation (defense in depth) against _fatal_ security breach. Your discussion for this RFC does not negate the protection proposed. IMHO. If you don't like or don't need the protection, you can easily disable it while the protection can protect many programs/users against fatal security breach. (I'm not saying the proposal can prevent all kinds of codes/attacks) I don't think attackers can circumvent the default configuration. If it can, please let me know. Please keep in mind that we are discussing for include/require security. I hope you realize the benefits of this proposal. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1135a514166bd1050ff28511--