Hi Stas,

On Wed, Feb 25, 2015 at 12:19 PM, Stanislav Malyshev <smalys...@gmail.com>
wrote:

> > Are you saying current PHP allows
> > include('zip://...') or include('input://...')?
>
> Neither zip not phar are classified as url handlers. Both have is_url to 0.
>
> > Then this is serious bug. I'll fix it also.
>
> This would be another big BC break, as this would mean you can not use
> phar streams with allow_url_fopen set to off. Please don't change that,
> there's reason for these settings.


I have to at least php://
php://input or php://stdin
allows attacker script execution via POST if it's allowed
by allow_url_include=On.

[yohgaki@dev php-src]$ php -d allow_url_include=On -r
'include("php://input");' 2> /dev/null
[yohgaki@dev php-src]$

No errors. It seems we are better to fix this even with this RFC. Default
setting for web SAPI
prevents attack, but it can be disabled.

Other than this, it seems it's working as it should. (allow_url_include=Off)

[yohgaki@dev php-src]$ php -r 'include("php://input");' 2> /dev/null
Warning: include(php://input): failed to open stream: operation failed in
Command line code on line 1
Warning: include(): Failed opening 'php://input' for inclusion
(include_path='.:/usr/share/pear:/usr/share/php') in Command line code on
line 1

[yohgaki@dev php-src]$ php -r 'include("http://php.net";);' 2> /dev/null
Warning: include(): http:// wrapper is disabled in the server configuration
by allow_url_include=0 in Command line code on line 1
Warning: include(http://php.net): failed to open stream: no suitable
wrapper could be found in Command line code on line 1
Warning: include(): Failed opening 'http://php.net' for inclusion
(include_path='.:/usr/share/pear:/usr/share/php') in Command line code on
line 1


Regards,

--
Yasuo Ohgaki
yohg...@ohgaki.net

Reply via email to