Hi again,
On Thu, Sep 20, 2018 at 5:29 PM, Arnold Daniels <arn...@jasny.net> wrote: > > Variable includes have proper purposes, like for a (PSR-4) autoloader. This > can't be simply replaced with an 'if' statement. Other reasons are module > inclusion and generated code. > Of course, there are a few valid applications even for the most discouraged practices - in that you are correct. But you should know I meant *user input* variable inclusion in particular. Either way, I don't see how a *user input filter* validator would help PSR-4, generated code and/or whatever you meant by module inclusion. Just to be clear, in everything I'm saying, I assume you want to solve the following problem: include $_GET['page'].".php"; // <-- vulnerability (simplified, of course) > Variable inclusion is already done very often. I don't think this filter > will persuade people to do it that would otherwise not. This is a common > security issue. So if variable inclusion isn't disabled in full, having a > common way to prevent such issues seem like a good idea to me. > Well, I've got two things to say about this: 1. The developers who intruduce such vulnerabilities are the ones who don't do validation in the first place, so the way I see it, the few poor souls who might benefit from your proposal wouldn't care for it anyway. 2. Reiterating from my previous reply, this would only serve as an excuse for some to say that user input variable inclusion is an OK thing to do, because "see, PHP has a tool specifically for it, so it must be good". >> Sanitization is more often than not imperfect and there's always the >> potential to bypass it. > > This would be a validation filter and not a sanization filter. Can you give > an example on how you could bypass it? > Sorry, you started the discussion by mentioning sanitization and I just went with it without noticing the details. Still, even as a validator this can be bypassed depending on the application architecture - sure, you specify a base path, but who is to say I'm not trying to RCE via something within that base path? Cheers, Andrey. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php