Re: Fixing stupid PHP application design flaws

To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Cc: Debian Security <debian-security@lists.debian.org>
Subject: Re: Fixing stupid PHP application design flaws
From: Martin Schulze <joey@infodrom.org>
Date: Sat, 30 Apr 2005 08:38:13 +0200
Message-id: <[🔎] 20050430063813.GU7744@finlandia.infodrom.north.de>
In-reply-to: <[🔎] 20050428134548.GJ2785@A-Eskwadraat.nl>
References: <[🔎] 20050428131508.GQ7744@finlandia.infodrom.north.de> <[🔎] 20050428134548.GJ2785@A-Eskwadraat.nl>

Jeroen van Wolffelaar wrote:
> > What do people on this list think about fixing PHP include files in a
> > DSA that are accessible via HTTP as well and contain one bug or
> > another as they are not supposed to be accessible via HTTP but
> > accidently are.
> > 
> > I'm rather annoyed by the lack of comptence of some PHP coders who
> > manage their project in a way so that include files are stored within
> > the regular DocumentRoot and are hencely accessible via HTTP as well.
> > Include files normally also don't contain any precaution about being
> > "executed" standalone.
> > 
> > These files should not be accessible via HTTP in the first place but
> > put into /usr/share/something instead and included from there.
> 
> I don't think that those include files are per definition a problem -- a
> well-managed project will only ship 'stock' include files only
> containing functions, whether the user gets to see the source of it, or
> it's being executed, it doesn't hurt.

I agree, as long as they are silent, they don't pose a problem per se.

> Of course, it's different if this is not the case (non-function stuff in
> include files). I'd myself be inclined to advice to only fix those

non-function and non-class.

> cases where there might be a potential problem. A lot of PHP web
> applications are designed by upstream to be simply untarreable in the
> place where the URL is supposed to be, and as such have include files
> necessarily http-accessible. It's sometimes hard for packagers to fix
> this, and when the include fiels cannot do harm, I don't see why.

Clean design.  Less tempting for stupid "coders".  Just to name two.

> It'd be wise for those projects to take the extra precaution by allowing
> (and the Debian maintainer to do so) include files outside the web root,
> but to DSA for such a thing when there might not even be a vulnerability
> at all, seems premature to me. It'd be like fixing all uses of sprintf
> because the programmer could have used snprintf to be more sure there is
> no problem.

Sure, that was never my intention either.

Regards,

	Joey

-- 
Never trust an operating system you don't have source for!

Please always Cc to me when replying to me on the lists.

Reply to:

References:
- Fixing stupid PHP application design flaws
  - From: Martin Schulze <joey@infodrom.org>
- Re: Fixing stupid PHP application design flaws
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Prev by Date: Re: Fixing stupid PHP application design flaws
Next by Date: Re: [SECURITY] [DSA 717-1] New lsh packages fix several vulnerabilities
Previous by thread: Re: Fixing stupid PHP application design flaws
Next by thread: Re: Fixing stupid PHP application design flaws
Index(es):
- Date
- Thread