php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #63076 Force source IP on network operations
Submitted: 2012-09-12 20:08 UTC Modified: 2012-09-13 08:19 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: tonix at interazioni dot it Assigned:
Status: Open Package: Network related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2012-09-12 20:08 UTC] tonix at interazioni dot it
Description:
------------
It would nbe nice to have a new security feature in PHP.

Actually, a web server receives connections from a specific IP/port, but any PHP script can use any available address on outgoing connections.
This can be a security problem.

It should be possible to 'force' PHP to open connections only with a spcific IP or with the listening IP.This helps to prevent such problems:

 * if you have internal interfaces in the same machine where you have
   public IPs, a web PHP application could try to use the internal
   address of the interface, exploring internal network (actually we avoid that
   thanks to FreeBSD jails).
 * if apache listens on a specific  IP for a single domain, and listens
   on other IPs for others domains, it would be safe if each domain can
   use as source IP only the listening IP associated. 



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-13 01:09 UTC] aharvey@php.net
You can already do this for any function that accepts a stream context via the bindto context option. Is there a specific case that isn't covered?
 [2012-09-13 01:09 UTC] aharvey@php.net
-Status: Open +Status: Feedback -Package: Safe Mode/open_basedir +Package: Network related
 [2012-09-13 08:19 UTC] tonix at interazioni dot it
-Status: Feedback +Status: Open
 [2012-09-13 08:19 UTC] tonix at interazioni dot it
bindto looks to be a programming option.
I'm asking for a PHP directive, similar to OPEN_BASEDIR, which will force the bind address for any function opening/creating a socket or network connection.

This should be imposed by the system manager, when there is a multidomain/multiIP apache.

It would be useful to have something like:
BIND_IP 'x.x.x.x' (specific IP do be used for binding)
BIND_LISTEN (force use of IP on which the apache connection is received)
 [2023-04-21 05:49 UTC] bignewsvyres at gmail dot com
Techcutters is here to provide you with all popular options whether it is about tips for social media, blogs, and articles or news for sports fashion, tech, entertainment, and many more. More info:(https://techcutters.com)github.com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 11 13:01:29 2024 UTC