tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Option to disable php://filter URL


PHP has a php://filter URL feature which in my opinion violates
the principle of least astonishment enough that we could want
an option to disable it.

Consider the following index.php:


if (isset($_REQUEST['page'])) {
        $page = $_REQUEST['page'];
        $page = str_replace('../', '', $page);
} else {
        $page = 'sommaire';

include($page . '.php');


It looks like we control what is included, but consider that URL:

It outputs the base64-encoded source of sommaire.php, with 
the PHP code unintepreted. That allows exploration for planning
an escalation, and it is rather not obvious for the PHP developper.

I created a patch set for pkgsrc to introduce build options for php56, 
php70, php71 and php72 so that the feature can be disabled. Usage 
would be to put in mk.conf

Opinions about this? is it okay to commit?

Emmanuel Dreyfus

Home | Main Index | Thread Index | Old Index