Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:131034 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 5A3851A00BC for ; Thu, 28 May 2026 09:10:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1779959440; bh=9J50uaVoGxb4r5nTUOlsbkZwMOhIb6tIiJ2k5Eg/biw=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=Gu/2BXjPTFIXZuf9wdty7ajkYf/45ic9iBpQ2kjSXOb6q8l4Yv/jzEJw0aeP6BjhW G+HNBcKgXP6JaokTcmQjxqPVfzFqTqXo6b3pVVfm9m6AnHeOo3rDeeXV84uizpjlhC LsDRtFlR8H6WLtxpiGNGwu0rblmyn3IGL38xIoEW3BcObk2EeyIwyD91ClqspQcqhn GsHdIw3aiM+U1Il12bNMu7JDamOkBt3Tqo3X16TdRpH+icciLGYMVFP5Ur+BAkJuMF CZMB3n33SCac41O0ysgd8JRkbffmu8oZ81RbKfQz5kshEFe/8kk0eXmb1oRZXLgP1o 43NQpLxcCEItA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 38DED18054E for ; Thu, 28 May 2026 09:10:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com [209.85.222.177]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 28 May 2026 09:10:40 +0000 (UTC) Received: by mail-qk1-f177.google.com with SMTP id af79cd13be357-914c1ced558so304504885a.3 for ; Thu, 28 May 2026 02:10:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779959434; cv=none; d=google.com; s=arc-20240605; b=Sci0WlnOew74k0KECvToq3mTEWPnKDE2N1omnGFmyMmIK+oTmCHwtEE6Ze4RLdEgKT cX0elwrS3YvM8ExxF8FQM6yBaFqAI9MFwIHD1MfzSPYN+5X63slkuBdiuXWEtxyZZI0K VWtSeVHbSsRPbGFwBNe8gNNwqG7sTCcFSd4r4Ajaq/ZExazAluRY5P/9kV9MMErLtwXG T7vTbAxnXXvLUFjP5WJKete5mRAeycE66G/+jO/hG96LPKWDF1fQJ79NA8zxs1bbnclm aLmxABelYEYplzIQTaMxkRQVedo+aWHFrfc9qGBHamYLGSzpSnsxwpT8jBSA6WKIhp+o eJhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=M9/Yr3RqAxmtYKiOgfJBhsohbkMBmnpi62ItrLP+7EU=; fh=tO2k0lYV5udncwYa5Ixk1IPJzKSJvbG7kyat0r0OOb8=; b=WmcGemKlm7BhXvXCXJAoMoZ1ZkIR0Ff8F5NCOXQjjeaqnLvG+GSLDuY2+vk3F9d5BT zTPO+ESP76DgWocaR+NW5CW3kb7SvPvk5qaCtwLpzcd0Lhhq2tyNeBhh4cLtUNwg7es+ dvnjEUPO8vmBM+7qgAoKG2wZvNwVSIYhKD+SlH9x4R5Rr6zWx1MyZi8J34FfoXCN/0xr OgUx93Th5lLHMaXKum7JliZfcKNnnuVz8Ppw9SDoF2L+7V+OlV1wPCG19e0I2f1NgIKR oFzbo0486Ucr8gzhV7je7vCde2lmAkZ0GRhuoo9HHGqnOSsJXm/ujLocHY3j287eD43D cMqw==; darn=lists.php.net ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779959434; x=1780564234; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=M9/Yr3RqAxmtYKiOgfJBhsohbkMBmnpi62ItrLP+7EU=; b=l045pbHU6qEQ5MA72HhNKORrccy5IzIkxOWJopznATFR6hpG+YX7uumUrjXg5Q8UHs 45DhGl9d3x8Hpfojgdwk+fOPNIqZOjPLvuP9lpBDAm/lPSfl0MH8SdQmzOOBOt4zbd7A r/qxhjwXWbokpFAwSkg1/2hlTq0pJ/ShGydnoP8nztkGfkAo/pmhuKU33JqsA6u7C+tM ljs30LhoKJH6v8ugzaLEvEKT678fmzcejUAKpi4/1D7c6L6JwPUaWKfKrzyhR+YCgM5f nOiPcmtvLeAVcjY5yfl4qpLfUtYLnZZKt0+dljpuclWa3n1aKybHxRBJ0QiwunPQ+pjd ZcOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779959434; x=1780564234; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=M9/Yr3RqAxmtYKiOgfJBhsohbkMBmnpi62ItrLP+7EU=; b=IwOy33S0NzSMVCFEBziamUaSKp7JER6WkSb8e/yb71kfKJTtFV8BwWMOySWEFn8qKq /BqwnuRpgw4gmsVN7T9DnBLn1VRzP/x17eoMkmcUj7Fv3+vSRmyORxjYsiFZVGU22qEh lEx91ManSzbMhCkK36qVAOIZtJQmh+TyUnVOzH1rV0+Qt3bn4zTejLvU1ecFGpw/UyOq 8TOz+2nGlKE3D5psG4O5y1AM8kdSNHCyOv70c3q4NWma748JL+V1qAiScVr3Ra8qeSKs rrN8mXr9A7VYBocPrRrKE5xj7HFYnHSzCvagN4aA7sJR7NKM0JRZXukFR7iseBCipl9J a4yw== X-Gm-Message-State: AOJu0YwWX27V/WthnzAtXrQ5Ld2BlBsIYQdH2yVSG+bDovN51Q9qLCej 0/OSQAg8BKP2tKDMCQO/ArvAFmiTnyjWU4uyYQdzPl9quZo1MLLrFYTznLUXCuCdIYdgLmkHwmv o+Jsjun3BwMGE/LD29iMAor3X0VFanks= X-Gm-Gg: Acq92OH9SU6wZICkK1nYAGQuPZzwAq3/X5ajBRIYH/KeYACrS9q3ooEincF7MG3DtCK pqKO1bD2XFijhBNIyHU+arL05pVC95kRyfvoT3jZB0O/B7BTsswQq0pC8p5roLYfAPtpRjMeG8/ Qa4X6OcAwHxLQUlhS2t1XCy3/KOCqZK6p6DbWHksWOgxyXt5U7ngKQDgPU+bmnmj/9Ajkymv1cv LboIjH704oPOaDx2uNNu32QzQd/OMD6UkCgPyyMoRrjZ/hrmwlgevI5n1olRkFB5chkd8qWnNty wHUGZr3U+2zRO44S6mLCH3WT+mYo0NdZbiuaBP6JWiDKIMlsTyRIruv/W1crmbqO/FQr1uBwmIr m0qT0aaVSO7U/5omVd7vArsGmUwfD9IVc/aOQYzfoic3/Hdro X-Received: by 2002:a05:620a:1793:b0:914:c16e:67fb with SMTP id af79cd13be357-914c16e6b44mr3306016285a.34.1779959434051; Thu, 28 May 2026 02:10:34 -0700 (PDT) Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: <9E95EA03-B86A-D248-A980-B1E838F94C13@hxcore.ol> <20260527131921.086BB1A00BD@lists.php.net> <8AE9A269-2E40-42F0-A0F8-C6690B2935FE@gmail.com> <20260528023149.C97961A00BD@lists.php.net> <76D39851-7DAC-4F56-9615-B98B0A918770@gmail.com> <20260528043224.2CDD51A00BD@lists.php.net> <690e2bc4-d6c9-488b-bbd7-0010437f6c15@gmail.com> <878E83EF-DBA2-429A-A17B-55238600E834@gmail.com> In-Reply-To: <878E83EF-DBA2-429A-A17B-55238600E834@gmail.com> Date: Thu, 28 May 2026 12:10:22 +0300 X-Gm-Features: AVHnY4JOJsJW5SmftVzsj10p9axbpCDfY9i7NxENR8emKNVWNeXhNJk5DyiGVOs Message-ID: Subject: Re: [PHP-DEV] [Pre-RFC] Pure-code source files via .phpc extension To: Hendrik Mennen Cc: php internals Content-Type: multipart/alternative; boundary="000000000000c8048a0652dd19a4" From: go.al.ni@gmail.com --000000000000c8048a0652dd19a4 Content-Type: text/plain; charset="UTF-8" I see a security concern in introducing a new file extension. It's common to configure a web server to pass locations that end with .php to a PHP interpreter. Nginx example: ``` location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.2-fpm.sock; } ``` Apache2 example: ``` SetHandler application/x-httpd-php ``` With a new file extension, users would be forced to change their configs, or a direct request to .phpX file would expose its source code. This will come as a surprise to users who don't know about the pure syntax yet include libraries that use it. --000000000000c8048a0652dd19a4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I see a security conc= ern in introducing a new file extension.

<= div dir=3D"auto">It's common to configure a web server to pass location= s that end with .php to a PHP interpreter.

Nginx example:

```
location ~ \.php$ {
=C2=A0 =C2=A0 include snippets/fastcgi-php.conf;
=C2=A0 =C2=A0 fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
```

Apache2 example:

```
<FilesMatch \.php$>
=C2=A0 =C2=A0 SetHandler application/x-httpd-php
</FilesMatch>
```

With a new file extension, users would be = forced to change their configs, or a direct request to .phpX file would exp= ose its source code.

Thi= s will come as a surprise to users who don't know about the pure syntax= yet include libraries that use it.
--000000000000c8048a0652dd19a4--