Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59535
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63535 invoked from network); 9 Apr 2012 19:37:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Apr 2012 19:37:09 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.213.170 mail-yx0-f170.google.com  
Received: from [209.85.213.170] ([209.85.213.170:52256] helo=mail-yx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 72/56-34074-56A338F4 for <internals@lists.php.net>; Mon, 09 Apr 2012 15:37:09 -0400
Received: by yenl5 with SMTP id l5so2313803yen.29
        for <internals@lists.php.net>; Mon, 09 Apr 2012 12:37:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=Rn1QLKQ6E3ioehHvQlyPLv9JTwIYW/6hRJWxYtlvL/I=;
        b=LIul1VEDvDL5hDIlkp357aEb/gIHTn5mCuhU5cwVCBggKtqiQRdHSc8+SRPvVlaw9G
         uaZJJEAWpGwxi4KGn6PAec4nQQC+sRn/UFR7rEFKALGh4ysHdYgPgxGJdxdfJ3O1q16q
         XKPxofpvopUiFIxSoIja8MV4OjzWwVrgkrSMZ76zwyLx6cr3XfaNPcMveDTz0rhmsyn8
         MDJ0UY4f2qxG1dEg4wZbgZ9PJGtAGXuEsnwc0O/D9kLgG5er6/uLbaiMex1JnKBH8qHu
         9CHNbBMVBPLewix8l7R9y1eCg69p3omqkNrVITccnk1+IYnVoMwV7TeFHQlfV9nYDfrf
         6wBw==
Received: by 10.236.72.133 with SMTP id t5mr6956443yhd.94.1334000226486; Mon,
 09 Apr 2012 12:37:06 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.146.86.14 with HTTP; Mon, 9 Apr 2012 12:36:26 -0700 (PDT)
In-Reply-To: <4F833682.2000301@ralphschindler.com>
References: <CAORXhGJwmbjw3Zze3+-oFA2Mb_Z-2owVESraNMMs57RzjRRMbA@mail.gmail.com>
 <-5877502932356715576@unknownmsgid> <CAORXhGLPdAie6UFq+daJhUmDUqp7RaFFLa596XdzdtuCddf0Jw@mail.gmail.com>
 <-3647345967307864634@unknownmsgid> <CAORXhGKjg_L11dFGNHNfNygDH018=ZhytAy1vH+Ei8QHfry=cA@mail.gmail.com>
 <CAORXhG+K3XML-47+FDYdL5D717wDX7c59Pz8KgqjcP16+Ad12w@mail.gmail.com>
 <4F831FAE.2030208@ralphschindler.com> <4775322189440202047@unknownmsgid>
 <CAORXhGJSG6CJD5EAt_uZ7RjfjM345nfrVQz8t2ep4e3WhCeKMQ@mail.gmail.com> <4F833682.2000301@ralphschindler.com>
Date: Tue, 10 Apr 2012 04:36:26 +0900
X-Google-Sender-Auth: zSBMLCPY9ENfHDCqaShVyA5U_D8
Message-ID: <CAGa2bXYjJsfo6os_P1OvQ7jfmxeYUkZ+QK5r94nwNUsba-iWLA@mail.gmail.com>
To: Ralph Schindler <ralph@ralphschindler.com>
Cc: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] RFC: source files without opening tag
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi,

Tom's FRC is trying to introduce tag less PHP script.
However, it does not fix well known PHP vulnerability. i.e. LFI/RFI
IMHO, this change introduce more complexity and do not solve
any problem.

Making PHP tag a non mandatory would solve the well known
vulnerability and do not introduce any new function. It's also fully
compatible to existing codes.

https://wiki.php.net/rfc/nophptags

There would be many developers/administrators who would
like to be protected from code like "include $_GET['var']".
nophptags RFC protects systems from this kind of fatal
vulnerable codes.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net