Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59544 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 78290 invoked from network); 9 Apr 2012 20:21:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Apr 2012 20:21:07 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.170 mail-gy0-f170.google.com Received: from [209.85.160.170] ([209.85.160.170:44393] helo=mail-gy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B5/A9-34074-1B4438F4 for ; Mon, 09 Apr 2012 16:21:06 -0400 Received: by ghbg2 with SMTP id g2so2352668ghb.29 for ; Mon, 09 Apr 2012 13:21:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=C+HrAg1Xc6D9aaTsgTZCyeWpCOfAPv2EMiQ+qK3d+Js=; b=Uj7CG8EXe3hVcIrK7Bt9MYKvNMQxkgOugX7jIX99Z+K8UoR/ur0HBBIui1yd02Jw1W y7z2QNVbZMuvzpsXpRgBbdwoOLrlq8MSJvse0WQkdu7r6JyxMPJxuXTlW5IE8y1UqSpT AKs3lhwes44tP5Wh0IqCWXRUasQlGEg1G91bnSzgmujsxloO9t5+80vsmyvDzSp4ToTO 91MU6EipCeb4Kguq/JPVrrg3uDb2Hg0m2KkVm8DTbiEzFM/z9o6plFh9iJy5FdsseXTr Pqk80Zhn0VnSV3dfBzgvSVqapZla8vwJQFvL28mKCxUrpVoKKCMQ+q4O5+wV/6F65fki dlhw== Received: by 10.236.161.3 with SMTP id v3mr7080687yhk.128.1334002863372; Mon, 09 Apr 2012 13:21:03 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.146.86.14 with HTTP; Mon, 9 Apr 2012 13:20:23 -0700 (PDT) In-Reply-To: <4F8340E6.90005@sugarcrm.com> References: <-5877502932356715576@unknownmsgid> <-3647345967307864634@unknownmsgid> <4F831FAE.2030208@ralphschindler.com> <4775322189440202047@unknownmsgid> <4F833682.2000301@ralphschindler.com> <4F833AB0.2060306@sugarcrm.com> <4F8340E6.90005@sugarcrm.com> Date: Tue, 10 Apr 2012 05:20:23 +0900 X-Google-Sender-Auth: bUrxTsYMDZI5Wjg3g1AdYhLS-Kk Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] RFC: source files without opening tag From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi, 2012/4/10 Stas Malyshev : > Hi! > >>> I'm not sure I follow - which PHP vulnerability you are talking about? >> >> Local file includes. (LFI) > > I'm not sure I understand - where's the vulnerability? > >> There is a null byte protection for LFI and I really like to the protection. >> It's also beneficial to other problems. However, it would not help codes >> like "include $_REQUEST['var']" > > Don't write such code. It's like saying exec() function is a > "vulnerability" in libc. You instruct PHP to run code based on user > input - that's what PHP will be doing, it's not a "vulnerability" by any > definition. I agree. Programmer should not write that. I would not propose the RFC if PHP is used as embedded languages mainly or the vulnerability is non fatal. By making embedded mode non mandatory, almost all issues will be gone. Why shouldn't we? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net