Hi Stas, On Wed, Feb 25, 2015 at 12:19 PM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> > Are you saying current PHP allows > > include('zip://...') or include('input://...')? > > Neither zip not phar are classified as url handlers. Both have is_url to 0. > > > Then this is serious bug. I'll fix it also. > > This would be another big BC break, as this would mean you can not use > phar streams with allow_url_fopen set to off. Please don't change that, > there's reason for these settings. I have to at least php:// php://input or php://stdin allows attacker script execution via POST if it's allowed by allow_url_include=On. [yohgaki@dev php-src]$ php -d allow_url_include=On -r 'include("php://input");' 2> /dev/null [yohgaki@dev php-src]$ No errors. It seems we are better to fix this even with this RFC. Default setting for web SAPI prevents attack, but it can be disabled. Other than this, it seems it's working as it should. (allow_url_include=Off) [yohgaki@dev php-src]$ php -r 'include("php://input");' 2> /dev/null Warning: include(php://input): failed to open stream: operation failed in Command line code on line 1 Warning: include(): Failed opening 'php://input' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in Command line code on line 1 [yohgaki@dev php-src]$ php -r 'include("http://php.net");' 2> /dev/null Warning: include(): http:// wrapper is disabled in the server configuration by allow_url_include=0 in Command line code on line 1 Warning: include(http://php.net): failed to open stream: no suitable wrapper could be found in Command line code on line 1 Warning: include(): Failed opening 'http://php.net' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in Command line code on line 1 Regards, -- Yasuo Ohgaki yohg...@ohgaki.net