Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Clamav reports a virus: Exploit.Gif.PHPembedded



Brian Chandler writes:

 > But I don't really see what criticism there could be here of PHP as 
 > such.

Excuse me?  The implications of "a GIF is an executable PHP program"
should be pretty obvious.

 > PHP provides a function to include a file and run it through the 
 > php interpreter - what more or less could it do?

Insist that the file satisfy some minimal truth-in-labelling
requirements, such as "my MIME type is application/PHP-program".  (The
fact that that actually makes little sense in PHP is not an excuse for
anything except criticism of PHP's design.)  Even Perl-sans-taint does
that!

 > AAMOF, I think that most of the publicised problems hereabouts come
 > from generic applications abusing very general mechanisms.

PHP today may be a general scripting language, but it originated as
and is still most popular as a web framework.  General mechanisms
should not be exposed at the web site building level, but in PHP you
can't avoid it.  Even Perl has the taint mechanism.  Python does
provide eval, but its use is deprecated.  I'm sure Ruby, ditto.



Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links