Re: Re: [RFC] No PHP tags

From:	Rowan Collins	Date:	Wed, 12 Feb 2014 22:43:04 +0000
Subject:	Re: Re: [RFC] No PHP tags
References:	1 2	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Yasuo Ohgaki wrote (on 11/02/2014):
Local script inclusion is*much grater security threat*  than local script
expose.

I've been trying to follow the pros and cons of this RFC, and I'm really scratching my head on what the security benefit is supposed to be.

As I understand it, for this to even be relevant security-wise, it would need to involve a dynamic file path being included, and an attacker somehow influencing either which file was loaded, or the contents of that file.

The scenarios I can see are:

1) the include was intended to be PHP code, and the attacker substitutes different PHP code of their choice
2) the include was intended to be PHP code, and the attacker accesses non-PHP data already on server
3) the include was intended to be non-PHP data, and the attacker substitutes PHP code of their choice
4) the include was intended to be non-PHP data, and the attacker accesses different non-PHP data already on server

This sentence in the RFC Summary sounds like it's talking about 3:

However, embedded scripts are serious security risk as it can executes any PHP code in any files.

But if somebody is using include() for non-PHP data, they're using the wrong function anyway, end of story.

Barring bugs in the engine (e.g. null byte handling) 1 and 4 are something that no language can guard against: substituting code for code, or data for data (if include() couldn't do it, file_get_contents() could). There's a lot of talk in the RFC about validating file *contents*, but it seems to me that careful whitelisting of file location and naming is generally more relevant (e.g. "/etc/passwd" doesn't end in ".php", so it's kind of obvious you shouldn't be passing it to an include statement).

2 seems to be more relevant to me: without the "always echo if no <?php found" rule, it's easier to trick include() into acting like readfile(). The failure to load the expected PHP code would probably cause a Fatal Error anyway, but the contents might be exposed first.

But that doesn't seem to be the exploit that is being discussed on this RFC. Or am I misunderstanding completely?

Could somebody enlighten me with an artificially simplified example of a code execution attack that is possible today but would be prevented (or preventable) with the proposed change?

Thanks,
-- 
Rowan Collins
[IMSoP]


   

Thread (37 messages)

• Yasuo OhgakiMon, 10 Feb 2014 07:35:28 +0000
  • Stas MalyshevMon, 10 Feb 2014 07:56:35 +0000
  • Rasmus LerdorfMon, 10 Feb 2014 08:14:20 +0000
    • Yasuo OhgakiMon, 10 Feb 2014 21:40:12 +0000
  • Andrea FauldsMon, 10 Feb 2014 12:24:46 +0000
  • Sebastian KrebsMon, 10 Feb 2014 14:16:44 +0000
    • Yasuo OhgakiMon, 10 Feb 2014 21:42:15 +0000
      • Madara UchihaMon, 10 Feb 2014 22:39:51 +0000
      • Lester CaineMon, 10 Feb 2014 23:35:07 +0000
  • Kris CraigTue, 11 Feb 2014 00:29:35 +0000
  • Yasuo OhgakiTue, 11 Feb 2014 17:42:13 +0000Re: [RFC] No PHP tags
    • Rasmus LerdorfTue, 11 Feb 2014 18:10:44 +0000Re: Re: [RFC] No PHP tags
      • Yasuo OhgakiTue, 11 Feb 2014 23:13:30 +0000
        • Yasuo OhgakiTue, 11 Feb 2014 23:33:32 +0000
          • Rasmus LerdorfWed, 12 Feb 2014 01:29:01 +0000
            • Yasuo OhgakiWed, 12 Feb 2014 02:16:20 +0000
        • Lester CaineTue, 11 Feb 2014 23:43:10 +0000
          • Yasuo OhgakiWed, 12 Feb 2014 01:02:26 +0000
            • Lester CaineWed, 12 Feb 2014 05:39:44 +0000
              • Lester CaineWed, 12 Feb 2014 05:56:37 +0000
                • Yasuo OhgakiWed, 12 Feb 2014 06:17:38 +0000
                  • Lester CaineWed, 12 Feb 2014 07:15:40 +0000
                    • Yasuo OhgakiWed, 12 Feb 2014 08:04:29 +0000
              • Yasuo OhgakiWed, 12 Feb 2014 06:26:21 +0000
    • Yasuo OhgakiTue, 11 Feb 2014 18:11:03 +0000
    • Lester CaineTue, 11 Feb 2014 19:26:15 +0000Re: Re: [RFC] No PHP tags
    • Rowan CollinsWed, 12 Feb 2014 22:43:04 +0000Re: Re: [RFC] No PHP tags
      • Yasuo OhgakiThu, 13 Feb 2014 01:30:52 +0000
        • Rasmus LerdorfThu, 13 Feb 2014 15:07:41 +0000
          • Yasuo OhgakiThu, 13 Feb 2014 22:51:59 +0000
            • Rasmus LerdorfFri, 14 Feb 2014 00:00:53 +0000
              • Yasuo OhgakiFri, 14 Feb 2014 01:01:35 +0000
        • Rowan CollinsFri, 14 Feb 2014 17:10:08 +0000
          • Yasuo OhgakiFri, 14 Feb 2014 22:28:08 +0000
            • Johannes SchlüterFri, 14 Feb 2014 23:53:44 +0000
              • Yasuo OhgakiSat, 15 Feb 2014 00:03:23 +0000
• Andrey AndreevTue, 11 Feb 2014 13:21:16 +0000Re: [RFC] No PHP tags