On 08/02/2015 09:03, Yasuo Ohgaki wrote:
If this was a PHP_INI_PERDIR setting, then I wouldn't really mind as much.
>
>But as PHP_INI_USER, I don't like it at all.
How about allow to set the ini only once during execution?
Like open_baedir [1], it should probably be possible to *tighten* the
settings, but never *loosen* them. So, you could remove items from
script_path, or alter them to be more specific; or you could add them to
upload_path, or alter them to be more general.
The relationship to open_basedir should perhaps be more explicit - for
instance, your example of require('/etc/passwd') is better handled by
open_basedir, which also prevents readfile('/etc/passwd').
A file path should ideally be evaluated against 3 tests:
A) should this file be accessible, and readable? (controllable through
open_basedir; should be a pre-requisite for B and C)
B) should this file be writable? (currently left to OS level protection)
C) should this file be executable as PHP code? (should apply through
include()/require(), and also if passed as a direct argument to the PHP
SAPI; the latter part is currently left to the web server configuration,
while the first part cannot be controlled at all)
Even with all of these, there are still vulnerabilities, just ones which
require multiple steps, e.g.:
- for any file in (A), read its contents into memory, and trick the
application into executing it from a string
- find an intersection between (B) and (C), such as a compiled template
cache, and inject a string from user input, or a file in (A), which will
then be executed
[1]: http://php.net/manual/en/ini.core.php#ini.open-basedir
--
Rowan Collins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
