Hi Stas,
On Wed, Feb 25, 2015 at 8:25 AM, Stanislav Malyshev <smalys...@gmail.com>
wrote:
> > As far as I know, PHP is the only language that has this type of malware.
> > (Script embedded images) PHP is the only one malware vendors claims
> > it as "PHP malware". This is the fact.
>
> Which type is that? Of course only malware in PHP can be presented as
> "PHP malware", but I don't understand why it is of any significance.
>
I showed Exif specific one as "an" example.
Regardless of your view, people recognizes "PHP is weaker against script
inclusion" because there is "malware works with PHP", but not other
languages.
>
> > The reason is other languages are almost safe by default against script
> > inclusion attacks.
>
> Many languages just don't use patterns like PHP code does - I don't
> think I ever seen Python code doing imports based on variables - I'm not
> even sure it's possible in Python. PHP has more capabilities, but of
> course you need to use them in the right way.
>
To do a similar thing as PHP does, Python needs to read file and parse,
then execute. It's a lot of work compare to "require('file');"
Ruby is a little easier since it allows "full path" script loading. However,
most developers omit file extension. In addition, Ruby does not allow
embedded scripting unlike PHP.
It's much harder to make "Script Inclusion vulnerability" in other
languages.
>
> > This RFC makes PHP safe by default just like other languages +
> > move_uploaded_file()
> > protection.
>
> No, it does not - I've shown the example why. I'm sure there are more.
>
With this RFC
- require/include only includes ".php" ".phar" by default.
- move_uplaoded_file() only move files other than ".php", ".phar"
extension by default.
This makes "script inclusion" attack much harder. In fact, this RFC makes
almost
impossible attackers to take advantage of PHP's embed everything nature.
>
> > People do not have to be exparts of developing softwares. Managers will
> > choose illogical choice.
>
> We should not base our decision on the opinions of people we all
> understand are ignorant.
>
> > 1. Anti-virus detects "PHP malware"
> > 2. Managers surprises possible attack (Server takeover)
> > 3. Developers are forced to check their code, since current PHP has no
> > effective script inclusion attack prevention
> >
> > With this RFC, developers can explain this type of attacks cannot be done
> > by PHP's feature. i.e. Exploit servers via script embedded images, etc
> > cannot
> > be done.
>
> I don't think we need to introduce BC-breaking feature in PHP just
> because somebody has a manager that can't understand the basics of
> security.
>
For users do not need these protections, they can simply add one liner.
ini_set('zend.script_extensions', '');
This piece of code is executed for all PHP version without any errors.
>
> > Embedded PHP script uploads are prohibited by this RFC by default.
>
> Only certain very narrow cases of it.
>
Unlike previous RFC, this RFC patch does not care "contents" of file, but
only cares file "extensions". However, it works well as described before.
>
> >
> > PHP became as secure as other languages with respect to script
> inclusions.
>
> You keep repeating that, but it's not the case, and PHP already is as
> secure as other languages - provided you do not use clearly broken code.
> Security of the language is a misnomer anyway - language can not be
> secure (unless it's a language that does nothing useful), only specific
> code can be. Code that allows user-controlled includes without adequate
> filtering is insecure, and pretending that we make it secure does not
> improve security, quite the contrary.
>
I think I explained enough in previous comments.
>
> > Users may shoot their own foot, this is not our issue.
>
> But that's exactly what is required for your change to be useful at all!
Even with this RFC, users can shoot their own foot and PHP is much easier
to do it wrong compare to other languages.
However, if users use new PHP by default setting, PHP is as safe as
other languages against script inclusion/upload attacks. Since we have
move_uploaded_file() protection, PHP becomes safer than others.
- require/include cannot load script other than ".php"/".phar".
- move_uploaded_files() cannot move script files ".php"/".phar".
Script inclusion is one of the most severe security breach.
This RFC works well for it.
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
