Hi all, On Tue, Feb 24, 2015 at 7:20 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> On Tue, Feb 24, 2015 at 4:00 PM, Dmitry Stogov <dmi...@zend.com> wrote: > >> Use E_ERROR. >> >> >>> >>> >>> https://github.com/php/php-src/pull/1111/files#diff-93ad74868f98ff7232ebea00007c8b7fR624 >>> >>> Does engine exception catches error from zend_error_noreturn()? >>> >> >> no. it'll be changed into zend_error(). >> > > Thank you for the comment. > > I'm not a security expert, but I think that adding check for script >> extension won't add significant level of protection. >> > > I agree. For developers who have more than average skills, this RFC > would not be helpful. File inclusions by readfile()/etc are fatal as well > also. Users must be careful anyway. > > My objective is to reduce risk of server takeover by script inclusions > as low as other languages and being nice to new developers. I've audited > number of web applications written by various languages, there aren't much > difference in programmers' skills. My samples are too few and do not > represent actual figures, but we'll have less vulnerable PHP apps by this. > IMHO. > I would like to show one common example that is unique to PHP. https://www.google.co.jp/search?q=Exif+Webshell+Backdoor This RFC prevents this type of attack effectively. All users has to do is "checking file extension is image". Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
