On Feb 6, 2015 9:08 AM, "Yasuo Ohgaki" <yohg...@ohgaki.net> wrote: > > Hi Pierre, > > On Fri, Feb 6, 2015 at 10:39 AM, Pierre Joye <pierre....@gmail.com> wrote: >> >> I do not put high value in this ISO ;-) > > > I am :) Almost all of my clients are ISMS or similar certified.
Marketing ;) >> However, back to this exact feature. I am not convinced it is the >> right way, there are many cases required more than just checking valid >> code (<?php ...), like bash bang lines, phar or other script >> archives-like solutions. And even with this solution, a compromised >> server (via a web app or other) could still do whatever they want with >> php scripts if the web server is not configured correctly. > > > With this proposal, <?php is allowed only at the top of a file. So phar won't work with require_script? If that's the case then it does look good to me. > For example, one of the easiest way to take over servers is embed > script into session data files. This is prevented effectively. > > Users who allows phar/etc file uploads, they may have encryption or > compression as mitigation. What does it have to do with upload? Uploads are and should not be in a folder where php can be executed. This is a basic configuration issue on almost all web servers. >This mitigation works well, but we cannot > enforce all users to adopt. It requires additional code/CPU resource... > It may ruin usability also. e.g. Files compressed by lzo or any other > fancy algorithms are not easily accessed. I won't say it is good or bad but phar, to take one example, is widely used. > I suggest users to configure their OS to protect all kinds of file reading/writing > attacks. I agree 100%. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net >
