Hi Jan, On Tue, Feb 24, 2015 at 12:51 AM, Jan Ehrhardt <php...@ehrhardt.nl> wrote:
> Yasuo Ohgaki in php.internals (Mon, 23 Feb 2015 18:53:10 +0900): > >On Mon, Feb 23, 2015 at 6:52 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > > >> ini_set('.php .phar .module .etc'); > > > >ini_set('zend.script_extensions', '.php .phar .module .etc'); > > > >to be correct. > > Quote from a Drupal 7 .htaccess: > > # Protect files and directories from prying eyes. > <FilesMatch > > "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$"> > Order allow,deny > </FilesMatch> > > A lot of these, even .test, are used as include scripts. How would the > corresponding .htaccess entry for zend.script_extensions be formulated? > My patch allows up to 32 extensions or disable the protection, so all of these can be used as PHP scripts by ini_set('zend.script_extensions', ''); // The same as now. No mitigations. I don't recommend disabling the protection nor adding too many extensions, but it's up to developers. By the way, the configuration is not for PHP script, but file access control from external clients. I suppose Drupal uses much less filename extensions for PHP scripts. Otherwise, it will be too weak against script inclusion (or direct PHP script access via uploaded files). I checked Drupal8 files briefly. I see a few .module/.inc (there may be others) They may either rename to .module.php/.inc.php or ini_set('zend.script_extensions', '.php .module .inc .phar'); I suggest developers to use standard extension for PHP scripts, use only a few extensions as PHP scripts if it's ever needed. Leaving zend.script_extensions by default and using '.php' as PHP script would be the best practice. I think most apps/scripts follow this already. Regards, P.S. My patch does not protect "direct access". i.e. It allows to execute PHP scripts specified by web server configurations when PHP is a module of web server. e.g. <FilesMatch \.png$> SetHandler application/x-http-php </FilesMatch> allows ".png" files to be executed as PHP script regardless of "zend.script_extensions". PHP script files is opened by Web server and PHP will not check file extension for this case. The patch checks only when script file is loaded by PHP/Zend. -- Yasuo Ohgaki yohg...@ohgaki.net