Re: RFC: source files without opening tag

From: Stas Malyshev Date: Mon, 09 Apr 2012 20:04:54 +0000

Subject: Re: RFC: source files without opening tag

References: 1 2 3 4 5 6 7 8 9 10 11 12 13 Groups: php.internals

Request: Send a blank email to [email protected] to get a copy of this message

Hi!

>> I'm not sure I follow - which PHP vulnerability you are talking about?
> 
> Local file includes. (LFI)

I'm not sure I understand - where's the vulnerability?

> There is a null byte protection for LFI and I really like to the protection.
> It's also beneficial to other problems. However, it would not help codes
> like "include $_REQUEST['var']"

Don't write such code. It's like saying exec() function is a
"vulnerability" in libc. You instruct PHP to run code based on user
input - that's what PHP will be doing, it's not a "vulnerability" by any
definition.

-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227

Thread (109 messages)

Tom BoutellSun, 08 Apr 2012 16:32:23 +0000
Kris CraigSun, 08 Apr 2012 21:10:52 +0000
Tom BoutellSun, 08 Apr 2012 21:25:08 +0000
Yasuo OhgakiSun, 08 Apr 2012 21:49:43 +0000
Yasuo OhgakiSun, 08 Apr 2012 21:55:28 +0000
Tom BoutellSun, 08 Apr 2012 22:20:20 +0000
Yasuo OhgakiSun, 08 Apr 2012 22:45:48 +0000
Tom BoutellSun, 08 Apr 2012 23:14:08 +0000
Kris CraigMon, 09 Apr 2012 05:16:55 +0000
Tom BoutellMon, 09 Apr 2012 10:55:39 +0000
Yasuo OhgakiMon, 09 Apr 2012 05:48:24 +0000
Yasuo OhgakiMon, 09 Apr 2012 06:17:20 +0000
Tom BoutellMon, 09 Apr 2012 10:57:31 +0000
Arvids GodjuksTue, 10 Apr 2012 00:07:38 +0000
Yasuo OhgakiTue, 10 Apr 2012 00:19:13 +0000
Tom BoutellMon, 09 Apr 2012 11:29:09 +0000Re: RFC: source files without opening tag
Ángel GonzálezMon, 09 Apr 2012 12:26:39 +0000Re: Re: RFC: source files without opening tag
Rick WIdmerMon, 09 Apr 2012 13:16:42 +0000
Tom BoutellMon, 09 Apr 2012 13:40:07 +0000
CrocodileMon, 09 Apr 2012 14:02:24 +0000
Luke ScottMon, 09 Apr 2012 15:43:37 +0000
Tom BoutellMon, 09 Apr 2012 16:16:18 +0000
Luke ScottMon, 09 Apr 2012 17:10:55 +0000
Tom BoutellMon, 09 Apr 2012 17:22:07 +0000
Tom BoutellMon, 09 Apr 2012 17:23:05 +0000
Luke ScottMon, 09 Apr 2012 17:36:38 +0000
Ángel GonzálezMon, 09 Apr 2012 19:32:27 +0000
Luke ScottMon, 09 Apr 2012 19:57:18 +0000
Ralph SchindlerMon, 09 Apr 2012 17:43:10 +0000
Luke ScottMon, 09 Apr 2012 17:51:06 +0000
Tom BoutellMon, 09 Apr 2012 18:25:59 +0000
Ralph SchindlerMon, 09 Apr 2012 19:20:34 +0000
Yasuo OhgakiMon, 09 Apr 2012 19:36:26 +0000
Stas MalyshevMon, 09 Apr 2012 19:38:24 +0000
Yasuo OhgakiMon, 09 Apr 2012 19:45:56 +0000
Stas MalyshevMon, 09 Apr 2012 20:04:54 +0000
Yasuo OhgakiMon, 09 Apr 2012 20:20:23 +0000
Kris CraigMon, 09 Apr 2012 20:41:21 +0000
Rick WIdmerMon, 09 Apr 2012 20:58:42 +0000
Tom BoutellMon, 09 Apr 2012 21:03:04 +0000
Kris CraigMon, 09 Apr 2012 21:22:07 +0000
Tom BoutellMon, 09 Apr 2012 21:24:44 +0000
Kris CraigMon, 09 Apr 2012 21:32:03 +0000
Luke ScottMon, 09 Apr 2012 21:38:15 +0000
Kris CraigMon, 09 Apr 2012 22:06:49 +0000
Tom BoutellMon, 09 Apr 2012 22:17:51 +0000
Luke ScottMon, 09 Apr 2012 22:34:47 +0000
Tom BoutellMon, 09 Apr 2012 22:53:03 +0000
Luke ScottMon, 09 Apr 2012 23:06:12 +0000
Tom BoutellMon, 09 Apr 2012 23:47:49 +0000
Kris CraigTue, 10 Apr 2012 00:02:30 +0000
Luke ScottTue, 10 Apr 2012 01:15:15 +0000
Kris CraigTue, 10 Apr 2012 01:22:51 +0000
Yasuo OhgakiTue, 10 Apr 2012 02:02:54 +0000
Kris CraigTue, 10 Apr 2012 02:15:40 +0000
Yasuo OhgakiTue, 10 Apr 2012 02:29:00 +0000
Luke ScottTue, 10 Apr 2012 02:29:44 +0000
Yasuo OhgakiTue, 10 Apr 2012 02:50:08 +0000
Luke ScottTue, 10 Apr 2012 03:03:54 +0000
Yasuo OhgakiTue, 10 Apr 2012 03:25:23 +0000
Luke ScottTue, 10 Apr 2012 03:30:38 +0000
Chris StocktonTue, 10 Apr 2012 04:08:47 +0000
Yasuo OhgakiTue, 10 Apr 2012 04:17:06 +0000
Yasuo OhgakiTue, 10 Apr 2012 04:24:33 +0000
Luke ScottTue, 10 Apr 2012 00:27:19 +0000
Tom BoutellTue, 10 Apr 2012 00:38:21 +0000
Luke ScottTue, 10 Apr 2012 01:11:38 +0000
Tom BoutellTue, 10 Apr 2012 01:22:29 +0000
Luke ScottTue, 10 Apr 2012 02:20:32 +0000
Yasuo OhgakiTue, 10 Apr 2012 02:44:15 +0000
Luke ScottTue, 10 Apr 2012 02:48:45 +0000
Yasuo OhgakiTue, 10 Apr 2012 03:05:36 +0000
Luke ScottTue, 10 Apr 2012 03:39:52 +0000
Yasuo OhgakiTue, 10 Apr 2012 04:07:58 +0000
Luke ScottTue, 10 Apr 2012 04:23:58 +0000
Yasuo OhgakiTue, 10 Apr 2012 05:03:12 +0000
Luke ScottTue, 10 Apr 2012 05:35:35 +0000
Kris CraigTue, 10 Apr 2012 06:53:38 +0000
Yasuo OhgakiTue, 10 Apr 2012 07:37:26 +0000
Yasuo OhgakiTue, 10 Apr 2012 07:30:26 +0000
Adam HarveyTue, 10 Apr 2012 08:01:53 +0000
Ferenc KovacsTue, 10 Apr 2012 08:23:07 +0000
Too deep!
Tom BoutellTue, 10 Apr 2012 12:35:19 +0000
Too deep!
Kris CraigMon, 09 Apr 2012 22:54:05 +0000
Luke ScottMon, 09 Apr 2012 23:08:58 +0000
Tom BoutellMon, 09 Apr 2012 23:46:28 +0000
Kris CraigMon, 09 Apr 2012 21:06:13 +0000
Yasuo OhgakiMon, 09 Apr 2012 20:15:00 +0000
Stas MalyshevMon, 09 Apr 2012 20:38:03 +0000
Yasuo OhgakiMon, 09 Apr 2012 23:35:32 +0000
Yasuo OhgakiMon, 09 Apr 2012 23:54:19 +0000
Stas MalyshevTue, 10 Apr 2012 03:05:00 +0000
Yasuo OhgakiTue, 10 Apr 2012 03:12:12 +0000
Stas MalyshevTue, 10 Apr 2012 03:02:35 +0000
Luke ScottMon, 09 Apr 2012 20:18:50 +0000
Chris StocktonMon, 09 Apr 2012 18:23:16 +0000
Ángel GonzálezMon, 09 Apr 2012 19:21:46 +0000
Luke ScottMon, 09 Apr 2012 20:06:12 +0000
Ángel GonzálezTue, 10 Apr 2012 15:57:46 +0000
Chris StocktonTue, 10 Apr 2012 17:22:29 +0000
Ángel GonzálezTue, 10 Apr 2012 20:49:50 +0000
Chris StocktonMon, 09 Apr 2012 20:41:40 +0000
Ángel GonzálezTue, 10 Apr 2012 15:53:00 +0000

« previous	php.internals (#59539)	next »

From:	Stas Malyshev	Date:	Mon, 09 Apr 2012 20:04:54 +0000
Subject:	Re: RFC: source files without opening tag
References:	1 2 3 4 5 6 7 8 9 10 11 12 13	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message