On Mon, Feb 23, 2015 at 6:55 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi Dmitry and Nikita, > > On Mon, Feb 23, 2015 at 6:23 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > >> I wrote patch and made adjustment in the RFC >> https://wiki.php.net/rfc/script_only_include >> https://github.com/php/php-src/pull/1111 >> Where to check filename extension is subject to be changed. >> At first, I thought implementing this as PHP code is good, but >> I've changed my mind. It seems better to be done in Zend code. >> Opinions are appreciated. >> >> This RFC aims to make PHP as secure as other languages >> with respect to "script inclusion" attacks. >> Note: File inclusion is not a scope of this RFC. >> >> INI Changes: >> - "php_script" -> "zend.script_extensions" >> - "Allow all files": "*" -> NULL or "" >> >> Open Issues: >> - Error type - Is it OK to raise E_ERROR/E_RECOVERABLE_ERROR in >> zend_language_scanner.c? >> - Vote type - 50%+1 or 2/3 >> >> If there is anyone who would like to vote "no" for this RFC, >> I would like to know the reason and try to address/resolve issue you have. >> >> Thank you. >> > > We don't have care much about which error is raised from Zend engine, > since there > will be engine exception. > > My questions are, is it ok to raise E_ERROR or E_RECOVERABLE_ERROR from > zend_language_scanner.c? > Use E_ERROR. > > > https://github.com/php/php-src/pull/1111/files#diff-93ad74868f98ff7232ebea00007c8b7fR624 > > Does engine exception catches error from zend_error_noreturn()? > no. it'll be changed into zend_error(). I'm not a security expert, but I think that adding check for script extension won't add significant level of protection. Thanks. Dmitry. > > Thank you. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > >
