Hi,
another one of my weird ideas: what about a script signing mode?
- ini setting containing a HMAC key
- first ?php tag in a file must then have a signature, a la
?php:Base64encodedstring
- no parsing of files that fail the signature check
- (maybe optional) disabling of eval
Of course such
Hi Stas,
On Wed, Feb 11, 2015 at 4:32 PM, Stanislav Malyshev smalys...@gmail.com
wrote:
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Please let me know what you
Hi!
I'm not trying to be perfect, but I would like to make PHP as secure as
other
languages from script inclusion attacks. It's too easy currently...
PHP is already as secure as the other languages. If you have code in
Python that loads arbitrary file and executes it, you could upload
Python
Hi Yasuo,
Yasuo Ohgaki wrote:
Hi Christoph,
On Wed, Feb 11, 2015 at 10:45 AM, Christoph Becker cmbecke...@gmx.de
wrote:
We have been tried to educate users already and introduced some
mitigations e.g. allow_url_include, open_basedir.
However, enough time is passed to prove that wasn't
Hi Stas,
On Thu, Feb 12, 2015 at 3:21 AM, Stanislav Malyshev smalys...@gmail.com
wrote:
I'm not trying to be perfect, but I would like to make PHP as secure as
other
languages from script inclusion attacks. It's too easy currently...
PHP is already as secure as the other languages. If
On Tue, 10 Feb 2015, Yasuo Ohgaki wrote:
Hi all,
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Please let me know what you like or dislike.
Con:
- It introduces an
On Wed, 11 Feb 2015, Yasuo Ohgaki wrote:
Hi Markus,
On Tue, Feb 10, 2015 at 5:59 PM, Markus Fischer mar...@fischer.name wrote:
What constitutes first token in this context?
Would this be detected as a PHP file?
-8
root:x:0:0:root:/root:/bin/bash
On 11/02/15 09:34, Derick Rethans wrote:
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Please let me know what you like or dislike.
Con:
- It introduces an INI
Hi Pierre,
On Tue, Feb 10, 2015 at 6:19 PM, Pierre Joye pierre@gmail.com wrote:
On Tue, Feb 10, 2015 at 7:52 AM, Yasuo Ohgaki yohg...@ohgaki.net wrote:
Hi all,
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
Yasuo Ohgaki wrote:
We have been tried to educate users already and introduced some
mitigations e.g. allow_url_include, open_basedir.
However, enough time is passed to prove that wasn't enough, isn't it?
PHP (many and these are _only_ few of them in the wild)
Hi Matteo,
On Tue, Feb 10, 2015 at 5:22 PM, Matteo Beccati p...@beccati.com wrote:
On 10/02/2015 01:52, Yasuo Ohgaki wrote:
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Hi Christoph,
On Wed, Feb 11, 2015 at 10:45 AM, Christoph Becker cmbecke...@gmx.de
wrote:
We have been tried to educate users already and introduced some
mitigations e.g. allow_url_include, open_basedir.
However, enough time is passed to prove that wasn't enough, isn't it?
PHP (many
On 10.02.15 01:52, Yasuo Ohgaki wrote:
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Please let me know what you like or dislike.
How exactly does this detection work?
Hi Yasuo,
On 10/02/2015 01:52, Yasuo Ohgaki wrote:
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Please let me know what you like or dislike.
I understand you goal, but ini
On Tue, Feb 10, 2015 at 7:52 AM, Yasuo Ohgaki yohg...@ohgaki.net wrote:
Hi all,
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Please let me know what you like or dislike.
On Tue, Feb 10, 2015 at 1:52 AM, Yasuo Ohgaki yohg...@ohgaki.net wrote:
Hi all,
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Please let me know what you like or dislike.
Hi!
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Please let me know what you like or dislike.
I think there are several issues with this RFC:
1. It does not protect
Hi Matteo,
On Wed, Feb 11, 2015 at 12:48 PM, Yasuo Ohgaki yohg...@ohgaki.net wrote:
On Tue, Feb 10, 2015 at 5:22 PM, Matteo Beccati p...@beccati.com wrote:
On 10/02/2015 01:52, Yasuo Ohgaki wrote:
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only
Hi!
I proposed script()/script_once() at first. Considering new names that
might
break existing apps, I choose INI.
The problem with script_once is not that it may break existing apps. The
problem is that somebody careful enough to use special operator would
probably be careful enough not to
Hi Pavel,
On Tue, Feb 10, 2015 at 7:06 PM, Pavel Kouřil pajou...@gmail.com wrote:
IMHO the real solution to this problem is to educate the programmers
how to write safer applications, not by ini settings.
We have been tried to educate users already and introduced some
mitigations e.g.
Hi Markus,
On Tue, Feb 10, 2015 at 5:59 PM, Markus Fischer mar...@fischer.name wrote:
What constitutes first token in this context?
Would this be detected as a PHP file?
-8
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
Hi all,
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Please let me know what you like or dislike.
Thank you.
--
Yasuo Ohgaki
yohg...@ohgaki.net
22 matches
Mail list logo
