Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59537 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66265 invoked from network); 9 Apr 2012 19:46:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Apr 2012 19:46:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:37311] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2E/E6-34074-0AC338F4 for ; Mon, 09 Apr 2012 15:46:40 -0400 Received: by yhfq11 with SMTP id q11so2320836yhf.29 for ; Mon, 09 Apr 2012 12:46:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=DQ/YIr9XxRb1Yi2k7+1V+yScgHYYfzXEsO0UO8evlpY=; b=nh8zQ4LeDOxWd3dzoyswAG0B6IedpH6GIiVdda1SoNgmte8L3WGwRESGwVKJBAuCwK N9rNFvBspnUuzPAIoIWOx2LtLQqnlSftRs08rXdTaSpJYXD22Ghx6uZgX3HmxRYYiJrW a9guqc0DfsOXyYH7c7vtI2bDNdlzYy9wQgn0v1QHqtakT3e54nEE3ZUt27TChKQllxw1 VhF9/iwh9RuKgrRx9HFyrJYuixjONQM/3FB7xaADWlK+/8vLOPhq81cA0YirErPWZKcH +buUXYjD5ojabkGEzTQUTpntD1Os6skyaSYP1xRxzMBocjO5gDz5WJyvvFox0v8tI8wq dU4g== Received: by 10.236.161.3 with SMTP id v3mr6984039yhk.128.1334000797179; Mon, 09 Apr 2012 12:46:37 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.146.86.14 with HTTP; Mon, 9 Apr 2012 12:45:56 -0700 (PDT) In-Reply-To: <4F833AB0.2060306@sugarcrm.com> References: <-5877502932356715576@unknownmsgid> <-3647345967307864634@unknownmsgid> <4F831FAE.2030208@ralphschindler.com> <4775322189440202047@unknownmsgid> <4F833682.2000301@ralphschindler.com> <4F833AB0.2060306@sugarcrm.com> Date: Tue, 10 Apr 2012 04:45:56 +0900 X-Google-Sender-Auth: TWKZTr1u8jUWXYyieR3321t6x_U Message-ID: To: Stas Malyshev Cc: Ralph Schindler , "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] RFC: source files without opening tag From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi, 2012/4/10 Stas Malyshev : > Hi! > >> Tom's FRC is trying to introduce tag less PHP script. >> However, it does not fix well known PHP vulnerability. i.e. LFI/RFI >> IMHO, this change introduce more complexity and do not solve >> any problem. > > I'm not sure I follow - which PHP vulnerability you are talking about? Local file includes. (LFI) There is a null byte protection for LFI and I really like to the protection. It's also beneficial to other problems. However, it would not help codes like "include $_REQUEST['var']" LFI is fatal vulnerability. It would be better kill the vulnerability if we can. IMHO. Regards, P.S. Mandatory embedded script mode does not make much sense lately. -- Yasuo Ohgaki yohgaki@ohgaki.net