Option to disable php://filter URL

To: tech-pkg%netbsd.org@localhost
Subject: Option to disable php://filter URL
From: manu%netbsd.org@localhost (Emmanuel Dreyfus)
Date: Wed, 4 Jul 2018 11:00:27 +0200

Hello

PHP has a php://filter URL feature which in my opinion violates
the principle of least astonishment enough that we could want
an option to disable it.

Consider the following index.php:

<?php

if (isset($_REQUEST['page'])) {
        $page = $_REQUEST['page'];
        $page = str_replace('../', '', $page);
} else {
        $page = 'sommaire';
}

include($page . '.php');

?>

It looks like we control what is included, but consider that URL:
https://www.example.net/index.php?page=php://filter/convert.base64-encode/resource=sommaire

It outputs the base64-encoded source of sommaire.php, with 
the PHP code unintepreted. That allows exploration for planning
an escalation, and it is rather not obvious for the PHP developper.

I created a patch set for pkgsrc to introduce build options for php56, 
php70, php71 and php72 so that the feature can be disabled. Usage 
would be to put in mk.conf
PKG_OPTIONS.php71+=disable-filter-url 

Opinions about this? is it okay to commit?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu%netbsd.org@localhost

Follow-Ups:
- Re: Option to disable php://filter URL
  - From: Emmanuel Dreyfus

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: firefox 61 fails to build on netbsd-7
Previous by Thread: Go 1.10 does not build on NetBSD 6
Next by Thread: Re: Option to disable php://filter URL
Indexes:

Home | Main Index | Thread Index | Old Index