Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59532
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59344 invoked from network); 9 Apr 2012 19:18:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Apr 2012 19:18:13 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com  
Received: from [209.85.161.170] ([209.85.161.170:60455] helo=mail-gx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 75/65-34074-3F5338F4 for <internals@lists.php.net>; Mon, 09 Apr 2012 15:18:12 -0400
Received: by ggmb2 with SMTP id b2so2300324ggm.29
        for <internals@lists.php.net>; Mon, 09 Apr 2012 12:18:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=kdPn0VxJvQ8n+RRMP1ojyM037yZP5QbeS3MP/o53wJ4=;
        b=MbChUTR9VnqGnjYJvPsVettABB0KaECpBLi5KAmPnuIy8q0rOKGetWVZ/pYOw6DovH
         vIYGyMEhbtqpjhuqsWTb2RnpyAspOvz8MHiIUkFY+L0x+Oe94XFJR0JoI736Zy1VoNOa
         RURO8jR2B+iseox3Zkmv5N1+MvZ+O83C9IgU4fY8Bq+oQNO4Ns5QOnR/7IDUW8BT3YAp
         TpwmUOQV8DTMjnuyfmUo0HTESSZoTQ3llzkS5pwZ5bKW9CmCgSbtI8Pa+eH2MEBvYeq9
         Xl5ttar7vUy50F5iF1q+7517bluNulhKNOduBNAUceF3/DiktFVsJyF2OmLDl3/sdDpH
         hG5g==
Received: by 10.236.72.133 with SMTP id t5mr6906334yhd.94.1333999088716; Mon,
 09 Apr 2012 12:18:08 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.146.86.14 with HTTP; Mon, 9 Apr 2012 12:17:27 -0700 (PDT)
In-Reply-To: <CAORXhGLa+P9_oy-hQZt6wjR5Fy1SjF9Y9ZweBdNjybkJaSc=RQ@mail.gmail.com>
References: <CAORXhGLk8=bJ2TEo0OCzQCacjtGG=ZWYNuXf8Uu8oMNEm2WQ1A@mail.gmail.com>
 <CAGa2bXYP0kNA5PyvmdjoHZO91t8AojG9FjUe4nbCHhGjn2=MPg@mail.gmail.com>
 <4F80C739.2060404@gmail.com> <CAGa2bXZSgV3bRPGMt6Esw16v3ErVMLVQy1fb8cZxdc=OokpXKg@mail.gmail.com>
 <CAL0xaBEpjhwTMFknx9nPYXqFGOqM9f2xRiBhcdb8NtPCsVL6sg@mail.gmail.com>
 <CAGa2bXaEZ1rkkQ1MTCQ8=eet9P9oAWXz-cPMe5wRhHfFJE8N8Q@mail.gmail.com>
 <CAORXhG+eg8kS9Xqyt4WdH0H5C6H5P09Uc9+U5LA0RWrs5iR5ow@mail.gmail.com>
 <CAGa2bXbtJ3ksL_iaeZ0+DGU5veKegNRS0LY1s=zrZVNwLLvt7Q@mail.gmail.com>
 <CAL0xaBGGFRqq9tkc33daKoqTNHsLNmgadkUEjJtrGGJsWfK+YQ@mail.gmail.com>
 <CAGa2bXZa=DS0YS2aL5nobGZif23qbCcAMQMaagdG2-HFffCiVg@mail.gmail.com>
 <A633CF2D7C7BED41B41F1E64F25507B806A5CDD5C0@MAILR001.mail.lan> <CAORXhGLa+P9_oy-hQZt6wjR5Fy1SjF9Y9ZweBdNjybkJaSc=RQ@mail.gmail.com>
Date: Tue, 10 Apr 2012 04:17:27 +0900
X-Google-Sender-Auth: ubgUx85H7DmcUtp3NqK8wXUc_IM
Message-ID: <CAGa2bXa3dGOwnFSu-DcgbM0-9z9gjYt4SrnLbR+81zSYKq+ipA@mail.gmail.com>
To: Tom Boutell <tom@punkave.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] PHP class files without <?php at the top
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi,

2012/4/10 Tom Boutell <tom@punkave.com>:
> I agree that the security argument is bogus, but it was never one of
> my reasons for this proposal.

The risk is there and it is hard to get rid of it.
The risk will not go anywhere by telling the risk bogus.

If programmers/administrators could disable embed mode,
then systems will be protected from vulnerable codes.

If you insist, please show us how to protect from $_SESSION
script injection. Please do not tell me that programmer should
learn not to, since it's  not a protection but education.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

>
> --
> Tom Boutell
> P'unk Avenue
> 215 755 1330
> punkave.com
> window.punkave.com
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>