Hi Francois, On Sat, May 16, 2015 at 10:04 PM, François Laupretre <franc...@php.net> wrote:
> > De : yohg...@gmail.com [mailto:yohg...@gmail.com] De la part de Yasuo > > Ohgaki > > > > As some of you know that I'm trying to to eliminate script inclusion > attack. > > I come up with another idea which may have consensus. > > > > PHP compiler is fast enough for almost all apps without script > preloading. > > However, large sites take advantage of opcache_compile_file() to > maximize > > the performance/response. > > > > How about have a preloaded scripts configuration? > > In addition, how about have a option that allows preloaded script only? > > > > This way, PHP will execute only scripts listed in the "whitelist". > > This is perfect solution for eliminating php script inclusion attacks. > > In addition, users don't have to preload script one by one using > > opcache_compile_file(). > > > > These options may be PHP/Zend or opcache options. > > Does it mean you preload every script you could use ? In a typical > application with potential access to, say, 4,000/5,000 PHP scripts, does it > mean you will preload them all before running anything ? I hope it is not > the case because it's generally impossible to know in advance which files > you'll need. That's even the main benfit of autoloading. > The idea is preload everything in memory at startup. I'm thinking creating the list like find /var/www/myapp -name '*.php' > my_script_list and use the list as white list. We need to consider the case app has too many files for memory. Keeping compiled files in disk may be an option. > > An idea I had during a previous thread about script inclusion is a way to > register a list of patterns that paths should match. The main script would > register them and, then, every include/require would be filtered through > the list. It just requires to run realpath() and match the result against a > set of patterns. Don't know the performance impact. Just an idea. > I think the idea is good enough. However, it seems there are people does not like it because it requires a little overhead. Good part of new idea is it does not require any overhead (except startup delay for compiling all scripts before execution) It also maximize performance when app starts. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
