Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83875 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 57232 invoked from network); 26 Feb 2015 08:51:33 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Feb 2015 08:51:33 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.53 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.53 mail-pa0-f53.google.com Received: from [209.85.220.53] ([209.85.220.53:39962] helo=mail-pa0-f53.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7A/81-47686-29EDEE45 for ; Thu, 26 Feb 2015 03:51:32 -0500 Received: by paceu11 with SMTP id eu11so12371189pac.7 for ; Thu, 26 Feb 2015 00:51:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=fLJkHzlzGMkyRpehEBSKyKXR++4EjqRtE0ENcULObvA=; b=i/dxloKGGG9bqubQQEqWiEkmdqsat/8LubrUudhQr/Ll95Qh4o9G9g0iqgee6Gfr6a IQK1+E28o5g5artayeGk2wIgPLAGBU/Xz/t1ITMNJPwetP0XJmzLhmeGX7SLk7XFjPNj 4aYsoLm6f3Aow7pdlrm9dtUH7lUg3kVILUTz6wSuLMySpZWrVfNtTckquo8+NCis2D9d DTMGfFgmpzr9/d6N+X/TxqlitFhZt5tGSZ2AtxeAciN1Vn90Q7BghD/Ff1DvcUlM+wt+ S64URNaOPPh6kOY3e4i20ujeXYA2orB8a8BiiWzJLMcKwCMj2ys88ojw7QbBfjKsQgjK J6Cw== X-Received: by 10.70.49.99 with SMTP id t3mr12882879pdn.105.1424940688145; Thu, 26 Feb 2015 00:51:28 -0800 (PST) Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by mx.google.com with ESMTPSA id ff10sm333897pad.1.2015.02.26.00.51.27 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Feb 2015 00:51:27 -0800 (PST) Message-ID: <54EEDE8E.6070201@gmail.com> Date: Thu, 26 Feb 2015 00:51:26 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Yasuo Ohgaki CC: "internals@lists.php.net" References: <54EE50CF.9090508@gmail.com> <54EE5A39.9040401@gmail.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > This can be prevented by restricting phar archive name or forbid all > URI name at all. The latter is better choice. If by "all uri" you mean all streams, that would be very high burden, which may break many applications using streams, including phar handling. > There is design problem obviously. The reason why phar:// is allowed is > that "allow_url_include" is not INI_ALL. The reason why phar is allowed is because phar is not a remote stream, so access to phar is the same as access to local file system, which is necessary for include anyway. The contents of phar is in the same domain as contents of local filesystem, that's why no distinction is made. > Script cannot change the setting, therefore special phar:// is needed to > be allowed unconditionally. I would say INI_SYSTEM for allow_url_include > is false sense of security. It introduced security issue like you've > mentioned. It doesn't introduce any issues, unless you declare there should be distinction between files on the filesystem, which is needed to make your approach useful. But I do not think it's a good security - trying to allow including user-controlled files securely is IMO a futile task. The problem should be fixed at the root - by not having such includes that allow arbitrary filenames injected by user. -- Stas Malyshev smalyshev@gmail.com