Hi Pierre, On Fri, Feb 6, 2015 at 10:39 AM, Pierre Joye <pierre....@gmail.com> wrote:
> I do not put high value in this ISO ;-) > I am :) Almost all of my clients are ISMS or similar certified. However, back to this exact feature. I am not convinced it is the > right way, there are many cases required more than just checking valid > code (<?php ...), like bash bang lines, phar or other script > archives-like solutions. And even with this solution, a compromised > server (via a web app or other) could still do whatever they want with > php scripts if the web server is not configured correctly. > With this proposal, <?php is allowed only at the top of a file. For example, one of the easiest way to take over servers is embed script into session data files. This is prevented effectively. Users who allows phar/etc file uploads, they may have encryption or compression as mitigation. This mitigation works well, but we cannot enforce all users to adopt. It requires additional code/CPU resource... It may ruin usability also. e.g. Files compressed by lzo or any other fancy algorithms are not easily accessed. I suggest users to configure their OS to protect all kinds of file reading/writing attacks. I agree 100%. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
