Hi,
2012/4/11 Stas Malyshev <smalys...@sugarcrm.com>:
> Hi!
>
>> https://wiki.php.net/rfc/nophptags?&#why_this_is_better_than_now
>
> I'm sorry, but I do not understand how your proposal prevents LFI. Let's
> say you had this file kill.php:
> <?php kill_kill_kill();
It's a common lazy technique that prevents unwanted script execution.
I've been using this as an additional security for a long time.
(It was common to me even before JSON hijack problem at least)
I'm sure you have seen the same code in JSON hijack countermeasure.
while(1){}
JS cannot kill script, so infinite loop is used.
>
> and you were afraid that somebody would write the code "include
> $_GET['foo'];" and pass kill.php as foo and kill your server. Now, you
> propose banning <?php tag. So, kill.php would look like this:
>
> kill_kill_kill();
We don't kill(), but validate with template_mode=off.
It's impossible injecting kill() into everywhere, but we can validate
file headers.
>
> and you still can include it with "include $_GET['foo'];" and get the
> same result. Where's the difference?
With template_mode=on, PHP behaves exactly the same as it is now.
The easiest way to prevent unwanted script execution is injecting kill()
at the beginning of file.
For files not under control, LFI just disclose it :(
With template_mode=off, all we have to do is making sure files have
valid (Non PHP code) header. Kill() injections are not required.
For files not under control, LFI results in syntax error almost always :)
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
