Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83867
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27878 invoked from network); 26 Feb 2015 04:40:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Feb 2015 04:40:13 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.44 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.192.44 mail-qg0-f44.google.com  
Received: from [209.85.192.44] ([209.85.192.44:40747] helo=mail-qg0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BF/60-23986-AA3AEE45 for <internals@lists.php.net>; Wed, 25 Feb 2015 23:40:11 -0500
Received: by mail-qg0-f44.google.com with SMTP id j5so6885252qga.3
        for <internals@lists.php.net>; Wed, 25 Feb 2015 20:40:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=f663KFltmkHotWghERlIOHOypUXPGtIs0duiKn6BK9o=;
        b=BTH5WW6DxvCbjvOYQFZJecSZRsUB8XyiVNREiJNQVEamw3pWfYsjFu/aDn6scvVYfa
         X4yOFfvPYxRkuPdTGuMSx1Kr+7WX/M5vJSR4FkCYAQRSK4naKkychXvrCbVhuHW5887V
         LCld/E8TI0NWBylA0hM06P/4GitELbfFjnoAX83de0nrWU+dUBZKRv2Bqh7a+jFGHQ8q
         dxOH5Bv183zH9jNznfdweskAhUU/B1wbRp/CgNFXCYIHcnp5VFgrB58v5DL9XGfTppw5
         wK8RdU0/26KVc9jLT92Yuv7/cRIWlqg9YXrCy0jh/s2ewe2get9BXx3PPeO6YraoxgzG
         3+ug==
X-Received: by 10.140.85.137 with SMTP id n9mr13749968qgd.17.1424925607564;
 Wed, 25 Feb 2015 20:40:07 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Wed, 25 Feb 2015 20:39:27 -0800 (PST)
In-Reply-To: <CAGa2bXYWQCZA8_-EpQcb_Af7DT-_FV7HdfAHZrVt4V7i7vEURg@mail.gmail.com>
References: <CAGa2bXbt9FAdRtW1GxDyT+G-4bWBACTso_DOizcSHmmgmSVtmA@mail.gmail.com>
 <CAGa2bXb5QEKOggRbUnmVHuib=P_tJ9_W+QyMa_SCpc7RmSCgSA@mail.gmail.com>
 <54EE50CF.9090508@gmail.com> <CALwr1GmoAxfbKvJYVLeL3wPXEKKbu1jKGkTFcG0KQ_Ogx172sA@mail.gmail.com>
 <54EE5A39.9040401@gmail.com> <CAGa2bXYWQCZA8_-EpQcb_Af7DT-_FV7HdfAHZrVt4V7i7vEURg@mail.gmail.com>
Date: Thu, 26 Feb 2015 13:39:27 +0900
X-Google-Sender-Auth: enk_miXURfL1QMFcDgKDJG5C7Y4
Message-ID: <CAGa2bXY4LU3pS6H2LSbWpaO0yPiZKUAvwJ86A6pf6TCEk9pb7A@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: =?UTF-8?Q?P=C3=A1draic_Brady?= <padraic.brady@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c12894ab9a54050ff65856
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c12894ab9a54050ff65856
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Thu, Feb 26, 2015 at 10:48 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> I think you mean I ignored this. Let's discuss it.
>
> ============================================
> > They'd need to upload with a matching file type. Instead of any file
>
> Not sure what you mean by that. phar can read tars, etc. AFAIK, can't
> it? Also, phar archive has no requirement of being named something.phar,
> afaik can be also named cuteponies.gif. E.g., I just did this:
>
> 1. Created file chump.php:
>
> <?php
>
> include $argv[1];
>
> This is an idealized vulnerable script.
>
> 2. Created file pwnd.php
> <?php
>
> echo "pwnd!";
>
> This is an idealized exploit.
>
> 3. Put it into an archive:
> tar cvzf cuteponies.gif pwnd.php
>
> 4. Run this:
>
> php -dallow_url_include=0 chump.php phar://cuteponies.gif/pwnd.php
>
> The output is:
>
> pwnd!
>
> I'm not sure how this measure would protect from such scenario. Am I
> missing something here?
> ============================================
>
> This can be prevented by restricting phar archive name or forbid all
> URI name at all. The latter is better choice.
>
> The root cause of this is the way "allow_url_include" is implemented.
> "allow_url_include=Off" should disallow any type of URI include in the
> first place. As you know, PHP can have custom loaders that use
> URI form. Therefore, any kinds of custom loaders can be enabled by
> modules. It's a nightmare for security standpoint.
>
> There is design problem obviously. The reason why phar:// is allowed is
> that "allow_url_include" is not INI_ALL.
>
> http://php.net/manual/en/filesystem.configuration.php
>
> Script cannot change the setting, therefore special phar:// is needed to
> be allowed unconditionally. I would say INI_SYSTEM for allow_url_include
> is false sense of security. It introduced security issue like you've
> mentioned.
>
> To resolve issues with custom loaders, we need to change the design.
> This kind of *design mistake* is better to be fixed anyway.
>
> I don't mind to write another RFC and implement it.
>
> What do you think?
>

One additional comment on this.

The issue here is the same as safe_mode. It's "caller"and "callee"
responsibility
issue. One of the reason why safe mode design was failed is it made
"callee"
responsibility that making sure safe operation even if there are conditions
to be
secure.

allow_url_include is the same. It made "callee" responsibility to be
secure.
As your example illustrates, it fails.  Defense in depth can fail if it
isn't designed
carefully.

"Caller" must have responsibility when there are conditions to be secure. Or
"callee" must separate entry point/settings to cover all conditions.

Both allow_url_include and safe mode have the same design problem.
These are broken in the first place.

Anyway, although it is related, this is different security issue to be
fixed and
I hope you agree to fix it.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c12894ab9a54050ff65856--