Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59473 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 3561 invoked from network); 8 Apr 2012 21:23:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Apr 2012 21:23:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=arvids.godjuks@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=arvids.godjuks@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.170 as permitted sender) X-PHP-List-Original-Sender: arvids.godjuks@gmail.com X-Host-Fingerprint: 209.85.210.170 mail-iy0-f170.google.com Received: from [209.85.210.170] ([209.85.210.170:41325] helo=mail-iy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 79/47-56433-DB1028F4 for ; Sun, 08 Apr 2012 17:23:09 -0400 Received: by iaeh11 with SMTP id h11so6206395iae.29 for ; Sun, 08 Apr 2012 14:23:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=kWW3o9pru7JqBZvpsVczTIDS2L9lXsKbRumO9uW33mE=; b=qG5hPOJ14MDTKZDrMErKlpU0u7IYD6aPUW1zjReLNYxYLD/4dXX+RzM0Qmth3+83z1 7j3cKITZvjR6XSGYO7FxI8SFsPwwXcZNR8Js/UqBDLckSgOuqcbO8uSOwPiaX+qAiXNj hssYSI7if9xtmHyViX5hJXHSwq8jFRpxP1d8LkoJaHPkUBZzPSmLFwzmGOFexyoGVOFG yxzNctuQSxkDf6/uHKYvi4JOa+u5QMpEK4ZrWMin4o3xrPTrWXz8Pcgbb+mAxHqP8+IC L5GmhQDuN1dEQaFEY/r1krlwjdkbXDkxDoqgZhzux4BXzhSo1qO8tbvjKLhNYtLjdVe4 HOtQ== Received: by 10.50.161.197 with SMTP id xu5mr4132247igb.10.1333920186450; Sun, 08 Apr 2012 14:23:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.64.7 with HTTP; Sun, 8 Apr 2012 14:22:46 -0700 (PDT) In-Reply-To: References: <4F80C739.2060404@gmail.com> Date: Mon, 9 Apr 2012 00:22:46 +0300 Message-ID: To: PHP Developers Mailing List Content-Type: multipart/alternative; boundary=14dae93409a1df437604bd317e35 Subject: Re: [PHP-DEV] PHP class files without =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB: > 2012/4/8 =C3=81ngel Gonz=C3=A1lez : > > On 07/04/12 22:48, Yasuo Ohgaki wrote: > >> Hi, > >> > >> The only valid reason for removing >> security. > >> > >> Since the null byte detection for fopen, remote/local script inclusion > >> became much harder than before. However, it's still possible and very > >> easy compare to other languages. Script execution is critical security > >> problem and it's worth to make it better. > >> > >> If there is a switch that turns off PHP's template engine nature, PHP > >> could be more secure than now. > >> > >> php.ini > >> template_mode =3D on ; INI_ALL On by default > >> > >> php -t foo.php # template mode by default > >> php -T foo.php # template mode off > >> > >> People has option to make their code a little secure than now > >> or stick with current behavior. > >> > >> Regards, > > How does it help security? > > If any, requiring ' > out malicious files on apps with uploads in case there's a local > > inclusion vulnerability somewhere. > > > > Attackers may inject PHP script almost anything/anywhere since > PHP code may be embed anywhere in a file. > > For example, malicious PHP script may be in GIF something like > > gif89a ...any data.. > > and all attacker have to do is include/require the data somehow. > Attacker cannot do that this for other languages, since they are > not a embedded language. I know case that attackers may inject > malicious perl/ruby script in data files, but PHP is too easy > compare to these languages. > > Regards, > > -- > Yasuo Ohgaki > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Improperly configured WEB server is not the reason to change the most basic part of the language that will break every damn application out there. --14dae93409a1df437604bd317e35--