Hi Stas, On Wed, Feb 11, 2015 at 4:32 PM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> > Some of you are tired with this topic, but please take a look the RFC > > > > [RFC] Script only includes - this is 3rd version. > > https://wiki.php.net/rfc/script_only_include > > > > Please let me know what you like or dislike. > > I think there are several issues with this RFC: > > 1. It does not protect against all the problems it purports to protect. > I.e. if you want to protect against local PHP code accessing evil > uploaded files, local PHP code can also do echo > file_get_contents('/etc/paswd') and still have a problem (actually, very > common LFI issue). Even if the application only allows to require > random file, it may be possible to inject data via other means - such as > data stream, URL, temp files, session files, etc. Upload is not the only > way inputs can be controlled. > File disclosure issue is not scope of this RFC. 2. Legitimate files can include <? as byte sequence - in fact, it is > almost guaranteed big enough binary file would contain it. Restricting > upload of such files would break uploading functionality on many sites. > Good point. User needs compression/encryption to avoid issues. I may make move_uploaded_file() more strict. How about syntax check? If it detected as script and there is no syntax errors, then reject. This will never happens binaries. However, this is not enough. User may upload text with PHP program sample. So add and options that force to move embedded PHP script? Another possibility is use of filename extension(s). It's going back to old approach, but register script extension and allow execution only for matched extension. This may be the way to go. 3. General approach of this RFC is, given site with glaring security > hole in their code, give them a measure of protection against some of > the consequences. This looks like safe_mode approach, and that proved > ineffective in the past. I'm not trying to be perfect, but I would like to make PHP as secure as other languages from script inclusion attacks. It's too easy currently... I hope we have consensus for a resolution. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
