Hi Lester and all,
On Fri, Feb 6, 2015 at 5:30 PM, Lester Caine <les...@lsces.co.uk> wrote:
> On 06/02/15 05:01, Yasuo Ohgaki wrote:
> >> But it is the key point. It is not PHP role to do it. PHP is not
> >> > alone. It is a server configuration job. But I have said that already
> >> > many times, we got our points :)
>
> > I understand your point.
> >
> > We need both OS and PHP feature for perfection. Both of them are
> required.
> >
> > Current PHP just reads & executes all accessible files by include.
> > I think you understand my point, too :)
>
> The question is essentially CAN one prevent PHP on it's own from running
> things it shouldn't. In order to prevent people who do not understand
> the security risks from 'making a mistake'. The answer is probably only
> yes for a distribution that only comes from PHP. Other distributions are
> not following guidelines now so expecting them to do in the future is
> questionable? This is more about education of the whole infrastructure
> but I don't see the point of yet another load mechanism? I thought we
> had introduced all the necessary restrictions on include and require
> already? From a 'nannying' point of view I would have thought it was
> that hole which needed plugging since the people you are trying to
> protect will not use a new mechanism anyway? I hope that I have my own
> installations configured such that one can't upload material on-line
> that can be accessed but having to ensure third party libraries are
> using 'script' rather than 'include/require' seems a little problematic ...
Apparently, we don't provide key feature to eliminate script/file inclusion
attack that is unique to PHP.
I think the best way to go is to make 'require()' script only.
We need config to specify "script directory" to control script only
inclusion.
PHP must need to know if a file allowed to be executed. e.g.
require('../../file.php')
needs to know if it's safe to execute or not.
It must be fast. I'm thinking to cache all directory inode number specified
by "script directory" config at system initialization.
; All directories under these are script. Empty == disabled.
script_path="/var/www/lib;/var/www/html/"
; All directory under these ares files cannot be executed as script
; We don't need "engine=Off" for these directories any more.
upload_path="/var/www/html/upload;/var/www/html/user_images"
I'm not sure strtmp() or inode cache is faster. I'll take benchmark
to see if this is acceptable.
Please note that directory path configs are needed because of customizable
Zend script loader. i.e. PHP script or not cannot be decide by file
contents.
I'll rewrite whole RFC later.
Comments are appreciated.
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
