Hi all, On Wed, Feb 25, 2015 at 5:58 PM, Lester Caine <les...@lsces.co.uk> wrote:
> > As soon as you have any possibility of including a file uploaded by an > > attacker, you are probably going to lose. > > I think that this is perhaps the key here. I thought it's rather obvious how this RFC works, but apparently not. I added following description to the RFC. ============================================== Do not see how this RFC prevent script inclusion attacks - include*()/require*() refuse to compile/execute file extensions other than “.php .phar” by default. - move_uploaded_file() refuse to move PHP script. “.php .phar” is refused by default. With this RFC, include*()/require*() only executes files have “.php” or “.phar” extension and move_uploaded_file() refuse to move uploaded files that can be executed as PHP script. Therefore, even most obvious mistake like 'include $_GET[“var”];' will not work anymore. i.e. It cannot read files like “include '/etc/passwd';” nor execute script like “include '/path/to/upload/evil_image.jpg';”. ============================================== How could this RFC loose? I'm not trying to protects users from shooting themselves. However, this RFC protects PHP programs from script inclusion attack as well as file inclusion attack via include/require by default. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
