Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86266
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 74363 invoked from network); 16 May 2015 20:58:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 May 2015 20:58:08 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.181 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.214.181 mail-ob0-f181.google.com  
Received: from [209.85.214.181] ([209.85.214.181:32879] helo=mail-ob0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1B/5D-14891-E5FA7555 for <internals@lists.php.net>; Sat, 16 May 2015 16:58:06 -0400
Received: by obblk2 with SMTP id lk2so100126971obb.0
        for <internals@lists.php.net>; Sat, 16 May 2015 13:58:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=epTMaYSvUiC1HkgE+fSxcN0bz6bGzbxIK5rehLO0Svk=;
        b=lRFlUIW9ixpFZz2xp1d5dqB6kyMcq9GwKuYw0Dna3mQm81kl88GukhcnqnfvOKOtPu
         6zS2ReTaI6c9wMAspGQsXyURjuOsKonwCLnml2KCwgwLfGmyRQGeXJftqTQME9Cd378a
         805lWEbOnZrl712f2r7EiCJLvUwQRufiOeOO5reHCQn6HX/tQ+Ygq7wHJqhlw5Zs77eX
         n7VwrD5rl3UNAP5xH/7LXf1dsSvVDXU3fXSSopMoUn4zEffmaBFjQ5EGIj2Nar4vVd1w
         H/sbFJkn4aT9JIOAt6kiivDMZ23WaLmf0YlQb1lFCbOyksQue7PsTdsJ9c7pRQRZVDeH
         ZTMg==
X-Received: by 10.202.10.193 with SMTP id 184mr5382509oik.90.1431809881688;
 Sat, 16 May 2015 13:58:01 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.202.104.196 with HTTP; Sat, 16 May 2015 13:57:21 -0700 (PDT)
In-Reply-To: <001101d08fd8$cf5beb40$6e13c1c0$@php.net>
References: <CAGa2bXYQuC8mfUxwSTS4rQ2M5afkogLBAjz0tJwRChhTNN21Gw@mail.gmail.com>
 <001101d08fd8$cf5beb40$6e13c1c0$@php.net>
Date: Sun, 17 May 2015 05:57:21 +0900
X-Google-Sender-Auth: Tw99I7Biqp2aP-GgjdrpdXpsNGQ
Message-ID: <CAGa2bXZxQGi5PdQpY0WsTOXsA7e26SexT93ZYvfNA5VuNdufFg@mail.gmail.com>
To: francois <francois@php.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113d1dc6624f9d051639378c
Subject: Re: [PHP-DEV] Preload scripts and preloaded scripts only options
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a113d1dc6624f9d051639378c
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Francois,

On Sat, May 16, 2015 at 10:04 PM, Fran=C3=A7ois Laupretre <francois@php.net=
>
wrote:

> > De : yohgaki@gmail.com [mailto:yohgaki@gmail.com] De la part de Yasuo
> > Ohgaki
> >
> > As some of you know that I'm trying to to eliminate script inclusion
> attack.
> > I come up with another idea which may have consensus.
> >
> > PHP compiler is fast enough for almost all apps without script
> preloading.
> > However, large sites take advantage of  opcache_compile_file() to
> maximize
> > the performance/response.
> >
> > How about have a preloaded scripts configuration?
> > In addition, how about have a option that allows preloaded script only?
> >
> > This way, PHP will execute only scripts listed in the "whitelist".
> > This is perfect solution for eliminating php script inclusion attacks.
> > In addition, users don't have to preload script one by one using
> > opcache_compile_file().
> >
> > These options may be PHP/Zend or opcache options.
>
> Does it mean you preload every script you could use ? In a typical
> application with potential access to, say, 4,000/5,000 PHP scripts, does =
it
> mean you will preload them all before running anything ? I hope it is not
> the case because it's generally impossible to know in advance which files
> you'll need. That's even the main benfit of autoloading.
>

The idea is preload everything in memory at startup. I'm thinking creating
the list like

find /var/www/myapp -name '*.php' > my_script_list

and use the list as white list.
We need to consider the case app has too many files for memory. Keeping
compiled
files in disk may be an option.


>
> An idea I had during a previous thread about script inclusion is a way to
> register a list of patterns that paths should match. The main script woul=
d
> register them and, then, every include/require would be filtered through
> the list. It just requires to run realpath() and match the result against=
 a
> set of patterns. Don't know the performance impact. Just an idea.
>

I think the idea is good enough. However, it seems there are people does
not like it
because it requires a little overhead.

Good part of new idea is it does not require any overhead (except startup
delay for
compiling all scripts before execution) It also maximize performance when
app starts.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a113d1dc6624f9d051639378c--