Hi!
> Some of you are tired with this topic, but please take a look the RFC
>
> [RFC] Script only includes - this is 3rd version.
> https://wiki.php.net/rfc/script_only_include
>
> Please let me know what you like or dislike.
I think there are several issues with this RFC:
1. It does not protect against all the problems it purports to protect.
I.e. if you want to protect against local PHP code accessing evil
uploaded files, local PHP code can also do echo
file_get_contents('/etc/paswd') and still have a problem (actually, very
common LFI issue). Even if the application only allows to require
random file, it may be possible to inject data via other means - such as
data stream, URL, temp files, session files, etc. Upload is not the only
way inputs can be controlled.
2. Legitimate files can include <? as byte sequence - in fact, it is
almost guaranteed big enough binary file would contain it. Restricting
upload of such files would break uploading functionality on many sites.
3. General approach of this RFC is, given site with glaring security
hole in their code, give them a measure of protection against some of
the consequences. This looks like safe_mode approach, and that proved
ineffective in the past.
--
Stas Malyshev
smalys...@gmail.com
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
