Hi Rasmus,
On Wed, Feb 12, 2014 at 8:13 AM, Yasuo Ohgaki <[email protected]> wrote:
> On Wed, Feb 12, 2014 at 3:10 AM, Rasmus Lerdorf <[email protected]>wrote:
>
>> On 2/11/14, 9:42 AM, Yasuo Ohgaki wrote:
>> > Let me rephrase. Does anyone argue that the fact
>> >
>> > Local script inclusion is *much grater security threat* than local
>> script
>> > expose.
>> >
>> > "Local script expose" is the only drawback of this RFC.
>> > Currently, insecure include()/require() allows script execution.
>> > With this RFC, insecure include()/require() may allow script expose.
>> >
>> > Latter is obvious error as it shows wrong behavior while script
>> execution
>> > is
>> > not obvious at all. If user care to script expose, they can simply add
>> > "<?php"
>> > at the top of script as it is now.
>> >
>> > We can make secure program with register_globals=On as well as embed
>> > everything by default. The same argument applies here. IMHO.
>>
>> You need 2 things to go wrong though. 1st, you need a way for someone to
>> upload arbitrary files, and second, you need a include $_GET['filename']
>> somewhere. However, if you think about it, the include part is
>> completely secondary, if you can upload arbitrary files you can just
>> request them directly in order to execute them so the include part is
>> irrelevant.
>>
>
> I'm aware of this issue. That's the reason why I added
> script()/script_once()
> to original proposal. (include()/require() works as it is now. For
> compatibility,
> users may simply wrap include() to have script() for older PHP)
>
I forgot to mention 2nd. I usually disable engine for upload directory by
httpd.conf
or do not allow to upload anything under webroot.
Regards,
--
Yasuo Ohgaki
[email protected]