Hi On Tuesday, February 24, 2015, Stanislav Malyshev <smalys...@gmail.com> wrote:
> Hi! > > > Will it add a significant level of protection? No. > > > > Does it add protection? Yes. > > > > Each time we add some incremental security hardening, we make it a bit > > harder to create vulnerabilities. In this case, if there were code > > In this case, it seems not to be much harder than changing an URL a bit > or uploading a file under different extension. OTOH, it creates a false > sense of security - oh, I'm using the secure settings, now I can forget > about caring for LFI! - and also has huge BC break potential. For me, it > looks like magic quotes comeback. They'd need to upload with a matching file type. Instead of any file types. Fewer possible types is by definition less than all types. This is not even remotely magic quotes. No input is altered. > > > injection issue, the attacker must a) include a local file (not always > > useful) or b) upload some other apparently innocent file capable of > > being included (extremely useful). As such, this patch would lock out > > an obvious path by restricting the files that can be included to a > > more limited subset. > > Unless you disable phar, you can still include pretty much anything by > just using phar includes, as far as I can see. I'm pretty sure there are > also other stream tricks possible (data://? zip://?) None of this detracts from limiting file includes. Other potential weaknesses could be addressed separately if you agree there's more than one addressed not addressed here. One might say...incrementally. Also, we are obviously talking about PHP includes with this RFC... > > Enough incremental improvements add up to a significant improvement. > > If that were always true, safe mode and magic quotes would still be here > with us. > You keep mentioning magic quotes. That was never an improvement. It was removed from PHP. Please stop trying to associate two unrelated things to establish bad practice by word proximity. The sentence is obviously true. Paddy -- -- Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team Zend Framework PHP-FIG Representative
