This is an attempt to protect people who have written inherently insecure code anyway. One should
never do a dynamic require to any untrusted location, if ever at all, yes?
Sent from my iPhone
On Apr 8, 2012, at 8:00 AM, Ángel González <[email protected]> wrote:
> 2012/4/8, Yasuo Ohgaki:
>> 2012/4/8 Ángel González <[email protected]>:
>>> How does it help security?
>>> If any, requiring '<?php' before executable code makes easier to filter
>>> out malicious files on apps with uploads in case there's a local
>>> inclusion vulnerability somewhere.
>>>
>> Attackers may inject PHP script almost anything/anywhere since
>> PHP code may be embed anywhere in a file.
>>
>> For example, malicious PHP script may be in GIF something like
>>
>> gif89a ...any data.. <?php exec('rm -rf /') ?>
>>
>> and all attacker have to do is include/require the data somehow.
>> Attacker cannot do that this for other languages, since they are
>> not a embedded language. I know case that attackers may inject
>> malicious perl/ruby script in data files, but PHP is too easy
>> compare to these languages.
>>
>> Regards,
>>
>> --
>> Yasuo Ohgaki
> Yes, but if I properly check that there's no '<?php' in the uploaded files
> (as you should verify everything you allow users to upload), it can't be
> exploited.
> OTOH if the vulnerable include is not an include but an include_code,
> they could
> use a file which was
>> exec("rm -rf"); // Example of what not to do
> And was happily uploaded as "plain text".
>
>
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>