Hi Stas, On Wed, Feb 25, 2015 at 5:33 AM, Pádraic Brady <padraic.br...@gmail.com> wrote:
> On Tuesday, February 24, 2015, Stanislav Malyshev <smalys...@gmail.com> > wrote: > >> Hi! >> >> > Will it add a significant level of protection? No. >> > >> > Does it add protection? Yes. >> > >> > Each time we add some incremental security hardening, we make it a bit >> > harder to create vulnerabilities. In this case, if there were code >> >> In this case, it seems not to be much harder than changing an URL a bit >> or uploading a file under different extension. OTOH, it creates a false >> sense of security - oh, I'm using the secure settings, now I can forget >> about caring for LFI! - and also has huge BC break potential. For me, it >> looks like magic quotes comeback. > > > They'd need to upload with a matching file type. Instead of any file > types. Fewer possible types is by definition less than all types. > > This is not even remotely magic quotes. No input is altered. > I would like to add a note for this. Anti Virus products are detecting this type of files as "PHP malware". No other languages have such malware. According to recent F-Secure blog post, this type of "PHP malware" files are not decreasing but increasing. Other than this type of "PHP malware", "PHP WebShell" is detected as PHP malware by anti virus products. The reason why these has to detected as "PHP malware" is that there are PHP programs vulnerable to script inclusion attacks. Leaving this as it is now would make people think "PHP is insecure than other languages", "Wow, we have many PHP malware. We may be better not to use PHP anymore". If "PHP malware" is found in a server, developers are force to check their code. Or they have to ask costly code check to people like me, even when PHP programs is safe. If this RFC is accepted, developers can prove their PHP programs are safe without code check. This RFC benefits may not be obvious for people on this list, but this RFC eliminates certain type of "PHP malware". PHP's script inclusion is a toy for security researcher and attackers for a long time. Let's take away the toy from them. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net