Upgrade to Pro — share decks privately, control downloads, hide ads and more …

今だからこそ振り返る register_globals / PHPerKaigi 2020

今だからこそ振り返る register_globals / PHPerKaigi 2020

Wataru MIYAGUNI

February 11, 2020
Tweet

More Decks by Wataru MIYAGUNI

Other Decks in Programming

Transcript

  1. ࠓ͔ͩΒͦ͜ৼΓฦΔ register_globals 1)1FS,BJHJ 5VF ٶᅳ౉@gongoZ

  2. @gongoZ github.com/gongo SmartHR, Inc. ࣗݾ঺հ

  3. ͋ΒΏΔ΋ͷΛ&NBDTͰ࠶ݱ͢Δͷ͕झຯͰ͢ w "/&4&NVMBUPSXSJUUFOJO&NBDT-JTQ w ϑΝϛίϯΤϛϡϨʔλʔ w IUUQTHJUIVCDPNHPOHPFNBDTOFT w *NQMFNFOU+7.CZ&NBDT w

    &NBDT͕+7.ʹͳΔ w IUUQTHJUIVCDPNHPOHPFNBDTKWN ࣗݾ঺հ (Con’t)
  4.  [email protected]ͱ͸Կͳͷ͔  [email protected]ͷੜ֔Λ௥ͬͯΈͨ  [email protected]ແ͖ੈΛͲ͏ੜ͖Δ͔ ΞδΣϯμ

  5. [email protected]ͱ͸

  6. 1)1ʙʹଘࡏ͍ͯͨ͠QIQJOJσΟϨΫςΟϒ register_globals ͱ͸? https://www.php.net/manual/ja/ini.core.php#ini.register-globals

  7. register_globalsಈ࡞ྫ [email protected]0⒎

  8. register_globalsಈ࡞ྫ [email protected]0O

  9. register_globalsಈ࡞ྫ ϑΥʔϜͷ໊લ͕ ͦͷ··ม਺໊ʹ

  10. register_globals ͷޭ੷ https://www.youtube.com/watch?v=wCZ5TJCBWMg&t=1339 QIQ%BZͷΩʔϊʔτl:FBSTPG1)1zͰ 3BTNVT͕[email protected]ʹ͍ͭͯݴٴ ʮ[email protected]͕ແ͚Ε͹
 ɹɹࠓͷ1)1ͷൃల͸ແ͔ͬͨʯ ʮಈతͳ8FCϖʔδͷߏஙʹ׳Ε͍ͯͳ͍ ɹɹϢʔβ͕ଟ͍࣌୅ɺϑΥʔϜ໊ͦͷ··ͷ ɹɹม਺ΛࢀরͰ͖Δͷ͸ըظతͩͬͨʯ

  11. 1)1ϚχϡΞϧηΩϡϦςΟάϩʔόϧม਺ͷొ࿥ػೳͷ࢖༻๏ ޫ͕͋Ε͹ҋ΋͋Δ https://www.php.net/manual/ja/security.globals.php

  12. ҆શͰͳ͍ίʔυྫ [email protected]0⒎ https://www.php.net/manual/ja/security.globals.php

  13. ҆શͰͳ͍ίʔυྫ https://www.php.net/manual/ja/security.globals.php [email protected]0O

  14. PHP ʹؔ͢Δ༗໊ͳݴ༿ (WebArchive) IPA ηΩϡΞϓϩάϥϛϯάߨ࠲ ୈ1ষ ΑΓྑ͍WebΞϓϦέʔγϣϯઃܭͷώϯτ

  15. w ✨͍͢͝ػೳ w ྑ͘΋ѱ͘΋1)1Λൃలཱͤͨ͞໾ऀ ·ͱΊ register_globals ͱ͸? ཱ໾ऀͷҰੜΛ ௥͍͔͚ͯΈ͍ͨʂʂ

  16. register_globals ͷҰੜ

  17.      register_globalsͷҰੜ

  18.    C    w [email protected]͕࣮૷ w

    ͜ͷ࣌͸·ͩ[email protected]ͱ͍͏໊લͩͬͨ w (&5 1045 $00,*&͚ͩΛର৅ w ͦΕҎ֎ 4&44*0/ͱ͔ ΋ѻ͏͜ͱʹͳͬͨ ͷͰ1)1CFUBͰϦωʔϜ https://github.com/php/php-src/commit/ab16816e PHP 4.0 beta 3
  19.     ʙ PHP 4.0.6  ʙ೥લ൒ w

    ηΩϡϦςΟʹؔ͢Δ໰͍߹Θ͕ͤࡴ౸ ʮ[email protected]͕શ෦ѱ͍ةݥʯ ʮ໰୊ʹͳ͍ͬͯΔίʔυ͸
 ɹɹม਺ͷॳظԽ࿙ΕͳͲ؆୯ͳ΋ͷ΋͋Γɺ
 ɹɹ͜ͷઃఆΛແ͚ͩ͘͢Ͱ͸ղܾ͠ͳ͍ʯ w ͦͷޙ΋͍Ζ͍Ζ͋Γɻɻ ϝʔϦϯάϦετͷ౤ߘ 3BTNVT
  20.     ʙ PHP 4.0.6 (Con’t)  

    https://marc.info/?l=php-internals&m=99638397319055&w=2 w 1)1Ҏ߱ͷ1SPQPTBMΛ3BTNVT͕ ։ൃऀϝʔϦϯάϦετʹ౤ߘ ҎԼɺཁ໿  ɹʮσϑΥϧτ͸P⒎ʹ͠·͠ΐ͏ʯ ɹʮ(&5΍1045ʹରͯ͠ ҆શ͸౰વͱͯ͠ 
 ɹɹɹखܰʹΞΫηεͰ͖Δ࢓૊Έ͸࢒͓͖͍ͯͨ͠ʯ
  21.     ʙ PHP 4.0.6 (Con’t)  

    https://marc.info/?l=php-internals&m=99638397319055&w=2 w ✍1)1Ҏ߱ͷ1SPQPTBMΛ3BTNVT͕ ։ൃऀϝʔϦϯάϦετʹ౤ߘ ͜ΜͳจষͰ࢝·͍ͬͯ·ͨ͠ 5IFCFTUUIJOHBCPVU1)1JTUIBUJUIBTTVDIB TIBMMPXMFBSOJOHDVSWFUIBUOPOQSPHSBNNFST DBOXSJUFXFCBQQT 5IFXPSTUUIJOHBCPVU1)1JTUIBUJUIBTTVDI BTIBMMPXMFBSOJOHDVSWFUIBUOPO QSPHSBNNFSTXSJUFXFCBQQT WJB1SPQPTBMͷ๯಄
  22.        PHP 4.1.0 w

    ⚙εʔύʔάϩʔόϧม਺͕࣮૷ w @(&5΍@1045ͳͲ w ैདྷͷ)[email protected]@7"34ͱҧ͍ɺHMPCBMએݴͤͣʹ͢ ͙࢖͑ͯखܰ w ⚙[email protected]@WBSJBCMFT ͕࣮૷ w [email protected]ͷػೳΛͪΐͬͱ҆શʹͨ͠ܗͰ࠶ݱ ͢Δؔ਺ https://www.php.net/releases/4_1_0.php
  23.        PHP 4.1.0 w

    ⚙εʔύʔάϩʔόϧม਺͕࣮૷ w @(&5΍@1045ͳͲ w ैདྷͷ)[email protected]@7"34ͱҧ͍ɺHMPCBMએݴͤͣʹ͢ ͙࢖͑ͯखܰ w ⚙[email protected]@WBSJBCMFT ͕࣮૷ w [email protected]ͷػೳΛͪΐͬͱ҆શʹͨ͠ܗͰ࠶ݱ ͢Δؔ਺ https://www.php.net/releases/4_1_0.php [email protected]@WBSJBCMFT ͷྫ https://www.php.net/manual/en/function.import-request-variables
  24.        PHP 4.2.0 w

    ⚙[email protected]͕σϑΥϧτͰ0''ʹ https://www.php.net/releases/4_2_0.php
  25.        PHP 5.3.0 w

    ⚙[email protected]͕%FQSFDBUFEʹ https://www.php.net/releases/5_3_0.php
  26.        PHP 5.4.0 w

    (PPECZF[email protected] w Ұॹʹফ͑ͨػೳ w [email protected] w [email protected] https://www.php.net/releases/5_4_0.php ⚰
  27.   register_globals ͸ҰੜΛऴ͕͑ͨ…  C    

      ⚰
  28.   register_globals ͸ҰੜΛऴ͕͑ͨ…   Y ʜ ⚰ [email protected]͕࢖ΘΕ͍ͯͨ

    ΞϓϦͷਓੜ͸ଓ͘ʂʂ
  29. register_globals ͷͳ͍ ੈքͰੜ͖͍ͯͨ͘Ίʹ

  30.  [email protected]ґଘΛແ͘͠ɺ৽͍͠ਓੜΛ࢝ΊΔ w ਖ਼߈๏  Կ΋͠ͳ͍ 1)1·ͰͷΞοϓσʔτʹཹΊΔ  w [email protected]Ҏ֎ͷ੬ऑੑʹ΋ରԠͰ͖ͳ͍

     [email protected]Λ࠶ݱ͢ΔίʔυΛॻ͍ͯɺ1)1ͷόʔ δϣϯΛ্͛Δ w ⚔मཏͷಓ register_globals Λ࢖͍ͬͯͨ ΞϓϦ͸Ͳ͏ੜ͖࢒Ε͹͍͍͔? ͬͪ͜ͷ࿩Λ͠·͢
  31. php.net Ͱௐ΂ͯΈ·ͨ͠ https://www.php.net/manual/en/faq.misc.php )PXEP*EFBMXJUIregister_globals

  32. ͜ͷख๏͸ؒҧ͍ͬͯ·͢ Կ͕ؒҧ͍ͬͯΔͷ͔ɺͲ͏͢Ε͹໰୊ͳ͍࠶ݱ ίʔυͳͷ͔Λ w [email protected]ॳڃฤ w [email protected]தڃฤ w [email protected]্ڃฤ Ͱݟ͍͖ͯ·͠ΐ͏

  33. register_globals ͷػೳ  ॳڃฤ w ࢓༷  w ରԠ 

     தڃฤ w ࢓༷  w ରԠ   ্ڃฤ w ࢓༷  w ରԠ
  34. register_globals ͷػೳ  ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠ  

    தڃฤ w ࢓༷  w ରԠ   ্ڃฤ w ࢓༷  w ରԠ
  35. άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ ͲͬͪʹͳΔ

  36. άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ ඇਪ঑ͷσΟϨΫςΟϒ[email protected]͕ POʹͳ͍ͬͯΔͱɺ[email protected]ͷઃ ఆ͸ɺ&/7ɺ(&5ɺ1045ɺ$00,*&͓Α ͼ4&37&3ͷ֤ม਺͕άϩʔόϧείʔϓ ʹऔΓࠐ·ΕΔॱ൪΋ࠨӈ͠·͢ɻ https://www.php.net/manual/ja/ini.core.php#ini.variables-order [email protected]Λߟྀ͢Δඞཁ͕͋Δ

  37. άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ ඇਪ঑ͷσΟϨΫςΟϒ[email protected]͕ POʹͳ͍ͬͯΔͱɺ[email protected]ͷઃ ఆ͸ɺ&/7ɺ(&5ɺ1045ɺ$00,*&͓Α ͼ4&37&3ͷ֤ม਺͕άϩʔόϧείʔϓ ʹऔΓࠐ·ΕΔॱ൪΋ࠨӈ͠·͢ɻ https://www.php.net/manual/ja/ini.core.php#ini.variables-order [email protected]Λߟྀ͢Δඞཁ͕͋Δ [email protected]ͷྫ

  38. register_globals ͷػೳ  ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠ[email protected]ʹै͏  தڃฤ

    w ࢓༷  w ରԠ   ্ڃฤ w ࢓༷  w ରԠ
  39. register_globals ͷػೳ  ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠ[email protected]ʹै͏  தڃฤ

    w ࢓༷@4&44*0/ʹ͸஫ҙ w ରԠ   ্ڃฤ w ࢓༷  w ରԠ
  40. @4&44*0/ͱregister_globalsͷؔ܎

  41. @4&44*0/ͱ[email protected]ͷؔ܎

  42. ηογϣϯม਺ͷΈࢀর౉͠ https://gongo.hatenablog.com/entry/2014/12/24/132841 w @(&5΍@1045ͳͲͱಉ͘͡ѻͬͯ͸ବ໨ w ͜͏͍͏ΠϝʔδͰ

  43. register_globals ͷػೳ  ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠ[email protected]ʹै͏  தڃฤ

    w ࢓༷@4&44*0/ʹ͸஫ҙ w ରԠϦϑΝϨϯεͰ஥ྑ͘͠Α͏  ্ڃฤ w ࢓༷  w ରԠ
  44. register_globals ͷػೳ  ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠ[email protected]ʹै͏  தڃฤ

    w ࢓༷@4&44*0/ʹ͸஫ҙ w ରԠϦϑΝϨϯεͰ஥ྑ͘͠Α͏  ্ڃฤ w ࢓༷@'*-&4ʹ͸ཁ஫ҙ w ରԠ
  45. @'*-&4ͷ͓͞Β͍

  46. @'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ https://gongo.hatenablog.com/entry/2014/10/02/211520

  47. @'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ https://gongo.hatenablog.com/entry/2014/10/02/211520

  48. @'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ https://gongo.hatenablog.com/entry/2014/10/02/211520

  49. @'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ https://gongo.hatenablog.com/entry/2014/10/02/211520

  50. @'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ https://gongo.hatenablog.com/entry/2014/10/02/211520

  51. @'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ ͔ͦͬͪʙ https://gongo.hatenablog.com/entry/2014/10/02/211520

  52. ༨ஊ https://www.php.net/manual/ja/function.extract.php [email protected]͕POͷঢ়ଶͰ@'*-&4ʹ ରͯ͠FYUSBDU Λ࣮ߦͯ͠&[email protected],*1Λ ࢦఆ͢Δͱɺͦͷ݁Ռʹڻ͘͜ͱͰ͠ΐ͏ɻ FYUSBDU ͷϔϧϓʹॻ͔Ε͍ͯͨϝϞ

  53. ༨ஊ https://www.php.net/manual/ja/function.extract.php [email protected]͕POͷঢ়ଶͰ@'*-&4ʹ ରͯ͠FYUSBDU Λ࣮ߦͯ͠&[email protected],*1Λ ࢦఆ͢Δͱɺͦͷ݁Ռʹڻ͘͜ͱͰ͠ΐ͏ɻ FYUSBDU ͷϔϧϓʹॻ͔Ε͍ͯͨϝϞ ڻ͍ͨʙ

  54. register_globals ͷػೳ  ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠ[email protected]ʹै͏  தڃฤ

    w ࢓༷@4&44*0/ʹ͸஫ҙ w ରԠϦϑΝϨϯεͰ஥ྑ͘͠Α͏  ্ڃฤ w ࢓༷@'*-&4ʹ͸ཁ஫ҙ w ରԠ͕Μ͹Ζ
  55. register_globals ͷػೳ  ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠ[email protected]ʹै͏  தڃฤ

    w ࢓༷@4&44*0/ʹ͸஫ҙ w ରԠϦϑΝϨϯεͰ஥ྑ͘͠Α͏  ্ڃฤ w ࢓༷@'*-&4ʹ͸ཁ஫ҙ w ରԠ͕Μ͹Ζ w ͜Εશͯߟྀ͢Δͷେม w ΋͔ͨ͠͠Βଞʹ΋͋Δͷ͔ͳ  w ࣗྗͰରԠ͢Δͷ͸΋͏ແཧͳΜ͡Ό ͦΜͳ͋ͳͨʹ ͪΐͬͱͨ͠࿕ใ͕
  56. HPOHPNFSDJGVMQPMMVUFS w 1)1Ҏ্Ͱ[email protected]Λ࠶ݱ͢Δ ϥΠϒϥϦ w ೥݄ݱࡏɺ1)1·Ͱಈ࡞֬ೝ w ͓·͚Ͱ[email protected]@HQDʹ΋ରԠ w ௚༁͢Δͱ࣊൵ਂ͍Ԛછ

    w ͋͘·Ͱ΋ܨ͗ͱͯ͠ߟ͑Δ΂͖ w 1)1όʔδϣϯΞοϓΛ࠷༏ઌʹʂ https://github.com/gongo/merciful-polluter
  57. ·ͱΊ

  58. w [email protected]ͬͯ΍ͬͺ͍͢͝ʂ w ͍ΖΜͳҙຯͰ w [email protected]͕ᐫͱͳ͍ͬͯͯ1)1 ΞοϓσʔτͰ͖ͳ͍ਓɺఘΊͳ͍Ͱʂ w Ͳ͏ʹ͔ͳΓ·͢ ·ͱΊ

  59. w 1)1ϚχϡΞϧ w IUUQTXXXQIQOFUNBOVBMKBJOEFYQIQ w 1)1ιʔείʔυ   w IUUQTHJUIVCDPNQIQQIQTSDUSFFQIQ

    w 1)1։ൃऀϝʔϦϯάϦετ "SDIJWF  w IUUQTNBSDJOGP MQIQJOUFSOBMT ࢀߟจݙ