Hi again,
On Thu, Sep 20, 2018 at 5:29 PM, Arnold Daniels <arn...@jasny.net> wrote:
>
> Variable includes have proper purposes, like for a (PSR-4) autoloader. This
> can't be simply replaced with an 'if' statement. Other reasons are module
> inclusion and generated code.
>
Of course, there are a few valid applications even for the most
discouraged practices - in that you are correct. But you should know I
meant *user input* variable inclusion in particular.
Either way, I don't see how a *user input filter* validator would help
PSR-4, generated code and/or whatever you meant by module inclusion.
Just to be clear, in everything I'm saying, I assume you want to solve
the following problem:
include $_GET['page'].".php"; // <-- vulnerability
(simplified, of course)
> Variable inclusion is already done very often. I don't think this filter
> will persuade people to do it that would otherwise not. This is a common
> security issue. So if variable inclusion isn't disabled in full, having a
> common way to prevent such issues seem like a good idea to me.
>
Well, I've got two things to say about this:
1. The developers who intruduce such vulnerabilities are the ones who
don't do validation in the first place, so the way I see it, the few
poor souls who might benefit from your proposal wouldn't care for it
anyway.
2. Reiterating from my previous reply, this would only serve as an
excuse for some to say that user input variable inclusion is an OK
thing to do, because "see, PHP has a tool specifically for it, so it
must be good".
>> Sanitization is more often than not imperfect and there's always the
>> potential to bypass it.
>
> This would be a validation filter and not a sanization filter. Can you give
> an example on how you could bypass it?
>
Sorry, you started the discussion by mentioning sanitization and I
just went with it without noticing the details.
Still, even as a validator this can be bypassed depending on the
application architecture - sure, you specify a base path, but who is
to say I'm not trying to RCE via something within that base path?
Cheers,
Andrey.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
