Re: [PHP-DEV] [RFC] [FINAL DISCUSSION] Script only include/require

Mon, 23 Feb 2015 14:21:52 -0800 

Hi Jan,

On Tue, Feb 24, 2015 at 12:51 AM, Jan Ehrhardt <php...@ehrhardt.nl> wrote:

> Yasuo Ohgaki in php.internals (Mon, 23 Feb 2015 18:53:10 +0900):
> >On Mon, Feb 23, 2015 at 6:52 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> >
> >> ini_set('.php .phar .module .etc');
> >
> >ini_set('zend.script_extensions', '.php .phar .module .etc');
> >
> >to be correct.
>
> Quote from a Drupal 7 .htaccess:
>
> # Protect files and directories from prying eyes.
> <FilesMatch
>
> "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$">
>   Order allow,deny
> </FilesMatch>
>
> A lot of these, even .test, are used as include scripts. How would the
> corresponding .htaccess entry for zend.script_extensions be formulated?
>

My patch allows up to 32 extensions or disable the protection, so all of
these
can be used as PHP scripts by

ini_set('zend.script_extensions', ''); // The same as now. No mitigations.

I don't recommend disabling the protection nor adding too many extensions,
but it's up to developers.

By the way, the configuration is not for PHP script, but file access
control from
external clients. I suppose Drupal uses much less filename extensions for
PHP
scripts. Otherwise, it will be too weak against script inclusion (or direct
PHP
script access via uploaded files).

I checked Drupal8 files briefly. I see a few .module/.inc (there may be
others)
They may either rename to .module.php/.inc.php or

ini_set('zend.script_extensions', '.php .module .inc .phar');

I suggest developers to use standard extension for PHP scripts, use only a
few
extensions as PHP scripts if it's ever needed. Leaving
zend.script_extensions by
default and using '.php' as PHP script would be the best practice. I think
most
apps/scripts follow this already.

Regards,

P.S. My patch does not protect "direct access". i.e. It allows to execute
PHP
scripts specified by web server configurations when PHP is a module of web
server. e.g.

<FilesMatch \.png$>
SetHandler application/x-http-php
</FilesMatch>

allows ".png" files to be executed as PHP script regardless of
"zend.script_extensions".
PHP script files is opened by Web server and PHP will not check file
extension for
this case. The patch checks only when script file is loaded by PHP/Zend.

--
Yasuo Ohgaki
yohg...@ohgaki.net

Reply via email to