On 2/11/14, 9:42 AM, Yasuo Ohgaki wrote:
> Let me rephrase. Does anyone argue that the fact
>
> Local script inclusion is *much grater security threat* than local script
> expose.
>
> "Local script expose" is the only drawback of this RFC.
> Currently, insecure include()/require() allows script execution.
> With this RFC, insecure include()/require() may allow script expose.
>
> Latter is obvious error as it shows wrong behavior while script execution
> is
> not obvious at all. If user care to script expose, they can simply add
> "<?php"
> at the top of script as it is now.
>
> We can make secure program with register_globals=On as well as embed
> everything by default. The same argument applies here. IMHO.
You need 2 things to go wrong though. 1st, you need a way for someone to
upload arbitrary files, and second, you need a include $_GET['filename']
somewhere. However, if you think about it, the include part is
completely secondary, if you can upload arbitrary files you can just
request them directly in order to execute them so the include part is
irrelevant.
Or, if you remove the arbitrary upload part you are down to only being
able to include already existing files but most files don't actually do
anything on their own. PHP files tend to either be top-level template
files designed to be shown to the user, or they contain functions or
classes which do nothing until called. The act of including them
typically doesn't actually execute any code. So yes, in my view script
exposure is a more serious problem than script execution from an
insecure include so your suggested change would make things worse, not
better.
-Rasmus
Attachment: [application/pgp-signature] OpenPGP digital signature signature.asc