Hi! > They'd need to upload with a matching file type. Instead of any file
Not sure what you mean by that. phar can read tars, etc. AFAIK, can't it? Also, phar archive has no requirement of being named something.phar, afaik can be also named cuteponies.gif. E.g., I just did this: 1. Created file chump.php: <?php include $argv[1]; This is an idealized vulnerable script. 2. Created file pwnd.php <?php echo "pwnd!"; This is an idealized exploit. 3. Put it into an archive: tar cvzf cuteponies.gif pwnd.php 4. Run this: php -dallow_url_include=0 chump.php phar://cuteponies.gif/pwnd.php The output is: pwnd! I'm not sure how this measure would protect from such scenario. Am I missing something here? > This is not even remotely magic quotes. No input is altered. Don't be so literal. It's not about altering input, it's about the fact that it breaks stuff and not adds much to security. > None of this detracts from limiting file includes. Other potential Not sure what you mean. If you can pull off file include - which is a precondition of this feature being useful - then you can pull off phar include. > weaknesses could be addressed separately if you agree there's more than > one addressed not addressed here. One might say...incrementally. The problem is there's no increment there. It's like having a password hardcoded to "password". You can say "oh, it's incremental security, at least we have a password!" but it is not incrementing the actual security. > You keep mentioning magic quotes. That was never an improvement. It was > removed from PHP. Please stop trying to associate two unrelated things Yes, it was removed from PHP - exactly because it did not produce the attempted improvement in security. This feature is of the same kind - it tries to produce increase in security but fails. Thinking of it as a security feature would produce nothing but an endless stream of CVEs with PHP name attached to it. Not a good idea. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
