Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83854
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97008 invoked from network); 26 Feb 2015 00:19:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Feb 2015 00:19:13 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.48 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.48 mail-qa0-f48.google.com  
Received: from [209.85.216.48] ([209.85.216.48:64761] helo=mail-qa0-f48.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 60/EC-34010-0866EE45 for <internals@lists.php.net>; Wed, 25 Feb 2015 19:19:12 -0500
Received: by mail-qa0-f48.google.com with SMTP id dc16so5432200qab.7
        for <internals@lists.php.net>; Wed, 25 Feb 2015 16:19:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=lwLj0G+AkPr85LW03cYSIqNNTrmJek2Zj9dvKX8SLPA=;
        b=Rkruaqf4v+WIaD9eNKA8/GQVIy70jqlYYJOZgmDhkF68VKw6hueaeYEV4lU6CotcRg
         dfSB/ZppLCQEoELLEYegO+psebpE8cfbSWwb7RwMIJv/XipPGzI3mNnl33vocwrZWkvc
         sEEHrSxoOfzFjLJOvQROU9lAseEU67X+/6osjIdgrsx5h6qHRPUZRpyrFD1L3atXmQAa
         /vBezhbzJwr9frhpK9SOJW45yck2bJ+sRlGxEUjDjmpxjVG0uXHj976ljiRRGSY3mprf
         09wf2+dGMCtdx6V37ICgQpKTy2tDDxWd8dSf9VWyRF1pTxzR2ULCkNN9uy4ynE3hRcHk
         wyyw==
X-Received: by 10.140.39.179 with SMTP id v48mr12057191qgv.77.1424909949237;
 Wed, 25 Feb 2015 16:19:09 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Wed, 25 Feb 2015 16:18:29 -0800 (PST)
In-Reply-To: <2kmsealj38h1k995ninhqfr9q4fr4cascq@4ax.com>
References: <CAGa2bXbt9FAdRtW1GxDyT+G-4bWBACTso_DOizcSHmmgmSVtmA@mail.gmail.com>
 <CAGa2bXb5QEKOggRbUnmVHuib=P_tJ9_W+QyMa_SCpc7RmSCgSA@mail.gmail.com>
 <54EE50CF.9090508@gmail.com> <54EE5634.1040300@seld.be> <2kmsealj38h1k995ninhqfr9q4fr4cascq@4ax.com>
Date: Thu, 26 Feb 2015 09:18:29 +0900
X-Google-Sender-Auth: E7hbFeD4GjkDFTSFdc3RVET70Hc
Message-ID: <CAGa2bXYMrkmf=Oc71P4TqWf7pNJ8-UOdyvC-yx9KJfyLTg_NOw@mail.gmail.com>
To: Jan Ehrhardt <phpdev@ehrhardt.nl>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c131f65c8288050ff2b385
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c131f65c8288050ff2b385
Content-Type: text/plain; charset=UTF-8

Hi Jan,

On Thu, Feb 26, 2015 at 8:30 AM, Jan Ehrhardt <phpdev@ehrhardt.nl> wrote:

> Jordi Boggiano in php.internals (Wed, 25 Feb 2015 23:09:40 +0000):
> >On 25/02/2015 22:46, Stanislav Malyshev wrote:
> >> 2. I think this RFC provides false sense of security for people that
> >> create vulnerable code and lets them think it's OK to have variable
> >> includes without adequate safety, since they are "protected" by these
> >> changes.
> >
> >People that are clueless already do not validate anything and are *NOT*
> >protected by this RFC. People that know what they are doing probably do
> >not need this patch. So the way I see it it's a win for random crappy
> >code out there, and a noop at worst for the others.
> >
> >> 3. I think it causes significant BC break which might be warranted in
> >> case it provides major improvement in security, but IMO in the light of
> >> the above it does not provide even minor one.
> >
> >A way to mitigate this might be to change the default to include a few
> >more common extensions like phtml, inc, or whatever. As those are all
> >commonly associated with PHP and offer no good reason to be allowed in
> >user uploads, I guess it's safe.
>
> Better yet: allow all by default. Then there is no BC break and nothing
> changes for clueless people. People with clue can make their own choice
> to use or not to use.
>

Providing "secure default" is our responsibility, especially for fatal
security breach. IMHO. We've done that for allow_url_include, for example.
I hoped allow_url_include and NULL byte prevention could eliminate script
inclusions, but it didn't.

This RFC is more powerful than allow_url_include/NULL byte protection. In
fact, it makes PHP programs as safe as other languages with respect to
script inclusions when consistent configuration is used.

The feature can be disabled by users easily. The feature warns users
possible security breaches. I don't see reasons disabling the feature
by default.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c131f65c8288050ff2b385--