Hi Yasuo,
Yasuo Ohgaki wrote:
> Hi Christoph,
>
> On Wed, Feb 11, 2015 at 10:45 AM, Christoph Becker
> wrote:
>
>>> We have been tried to educate users already and introduced some
>>> mitigations e.g. allow_url_include, open_basedir.
>>>
>>> However, enough time is passed to prove that wasn't
Hi Stas,
On Thu, Feb 12, 2015 at 3:21 AM, Stanislav Malyshev
wrote:
> > I'm not trying to be perfect, but I would like to make PHP as secure as
> > other
> > languages from script inclusion attacks. It's too easy currently...
>
> PHP is already as secure as the other languages. If you have code
Hi,
another one of my weird ideas: what about a script signing mode?
- ini setting containing a HMAC key
- first
Hi!
> I'm not trying to be perfect, but I would like to make PHP as secure as
> other
> languages from script inclusion attacks. It's too easy currently...
PHP is already as secure as the other languages. If you have code in
Python that loads arbitrary file and executes it, you could upload
Pytho
Hi Stas,
On Wed, Feb 11, 2015 at 4:32 PM, Stanislav Malyshev
wrote:
> > Some of you are tired with this topic, but please take a look the RFC
> >
> > [RFC] Script only includes - this is 3rd version.
> > https://wiki.php.net/rfc/script_only_include
> >
> > Please let me know what you like or dis
On 11/02/15 09:34, Derick Rethans wrote:
>> Some of you are tired with this topic, but please take a look the RFC
>> >
>> > [RFC] Script only includes - this is 3rd version.
>> > https://wiki.php.net/rfc/script_only_include
>> >
>> > Please let me know what you like or dislike.
> Con:
> - It intr
On Wed, 11 Feb 2015, Yasuo Ohgaki wrote:
> Hi Markus,
>
> On Tue, Feb 10, 2015 at 5:59 PM, Markus Fischer wrote:
>
> > What constitutes "first token" in this context?
> >
> > Would this be detected as a PHP file?
> >
> > -8<
> > root:x:0:0:root:/root:/bin/bash
> > daemon:x:1:1:daemon:/u
On Tue, 10 Feb 2015, Yasuo Ohgaki wrote:
> Hi all,
>
> Some of you are tired with this topic, but please take a look the RFC
>
> [RFC] Script only includes - this is 3rd version.
> https://wiki.php.net/rfc/script_only_include
>
> Please let me know what you like or dislike.
Con:
- It introduce
Hi!
> Some of you are tired with this topic, but please take a look the RFC
>
> [RFC] Script only includes - this is 3rd version.
> https://wiki.php.net/rfc/script_only_include
>
> Please let me know what you like or dislike.
I think there are several issues with this RFC:
1. It does not prote
Hi!
> I proposed script()/script_once() at first. Considering new names that
> might
> break existing apps, I choose INI.
The problem with script_once is not that it may break existing apps. The
problem is that somebody careful enough to use special operator would
probably be careful enough not t
Hi Matteo,
On Wed, Feb 11, 2015 at 12:48 PM, Yasuo Ohgaki wrote:
> On Tue, Feb 10, 2015 at 5:22 PM, Matteo Beccati wrote:
>
>> On 10/02/2015 01:52, Yasuo Ohgaki wrote:
>>
>>> Some of you are tired with this topic, but please take a look the RFC
>>>
>>> [RFC] Script only includes - this is 3rd v
Hi Pierre,
On Tue, Feb 10, 2015 at 6:19 PM, Pierre Joye wrote:
> On Tue, Feb 10, 2015 at 7:52 AM, Yasuo Ohgaki wrote:
> > Hi all,
> >
> > Some of you are tired with this topic, but please take a look the RFC
> >
> > [RFC] Script only includes - this is 3rd version.
> > https://wiki.php.net/rfc/
Hi Matteo,
On Tue, Feb 10, 2015 at 5:22 PM, Matteo Beccati wrote:
> On 10/02/2015 01:52, Yasuo Ohgaki wrote:
>
>> Some of you are tired with this topic, but please take a look the RFC
>>
>> [RFC] Script only includes - this is 3rd version.
>> https://wiki.php.net/rfc/script_only_include
>>
>> Pl
Hi Christoph,
On Wed, Feb 11, 2015 at 10:45 AM, Christoph Becker
wrote:
> > We have been tried to educate users already and introduced some
> > mitigations e.g. allow_url_include, open_basedir.
> >
> > However, enough time is passed to prove that wasn't enough, isn't it?
> >
> > PHP (many and th
Yasuo Ohgaki wrote:
> We have been tried to educate users already and introduced some
> mitigations e.g. allow_url_include, open_basedir.
>
> However, enough time is passed to prove that wasn't enough, isn't it?
>
> PHP (many and these are _only_ few of them in the wild)
> http://www.exploit-db.
Hi Pavel,
On Tue, Feb 10, 2015 at 7:06 PM, Pavel Kouřil wrote:
> IMHO the real solution to this problem is to educate the programmers
> how to write safer applications, not by ini settings.
>
We have been tried to educate users already and introduced some
mitigations e.g. allow_url_include, ope
Hi Markus,
On Tue, Feb 10, 2015 at 5:59 PM, Markus Fischer wrote:
> What constitutes "first token" in this context?
>
> Would this be detected as a PHP file?
>
> -8<
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
> bin:x:2:2:bin:/bin:/usr/sbin/nologin
On Tue, Feb 10, 2015 at 1:52 AM, Yasuo Ohgaki wrote:
> Hi all,
>
> Some of you are tired with this topic, but please take a look the RFC
>
> [RFC] Script only includes - this is 3rd version.
> https://wiki.php.net/rfc/script_only_include
>
> Please let me know what you like or dislike.
>
> Thank y
On Tue, Feb 10, 2015 at 7:52 AM, Yasuo Ohgaki wrote:
> Hi all,
>
> Some of you are tired with this topic, but please take a look the RFC
>
> [RFC] Script only includes - this is 3rd version.
> https://wiki.php.net/rfc/script_only_include
>
> Please let me know what you like or dislike.
I said bef
On 10.02.15 01:52, Yasuo Ohgaki wrote:
> Some of you are tired with this topic, but please take a look the RFC
>
> [RFC] Script only includes - this is 3rd version.
> https://wiki.php.net/rfc/script_only_include
>
> Please let me know what you like or dislike.
How exactly does this detection wor
Hi Yasuo,
On 10/02/2015 01:52, Yasuo Ohgaki wrote:
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Please let me know what you like or dislike.
I understand you goal, but ini
Hi all,
Some of you are tired with this topic, but please take a look the RFC
[RFC] Script only includes - this is 3rd version.
https://wiki.php.net/rfc/script_only_include
Please let me know what you like or dislike.
Thank you.
--
Yasuo Ohgaki
yohg...@ohgaki.net
22 matches
Mail list logo
