Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59586 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41630 invoked from network); 10 Apr 2012 00:19:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 Apr 2012 00:19:57 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.170 mail-gy0-f170.google.com Received: from [209.85.160.170] ([209.85.160.170:44608] helo=mail-gy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6C/27-34074-CAC738F4 for ; Mon, 09 Apr 2012 20:19:56 -0400 Received: by ghbg2 with SMTP id g2so2439756ghb.29 for ; Mon, 09 Apr 2012 17:19:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=uUzBvRtApQlgzUvN9TrzfVAA+RT6XdY+pE41o6mDbtY=; b=t62MLbkL96T5ppatnz0+JKO60vKW0DHtHLodzZSnsh1IYQdURi0fgG0Ztkt2rjPpad 3x3pP8+/3u89biwzP5Rpq/+MO0URx8e+TAtkkuODQW1ZC6YcgUhXbsmeo2bUJ+iCKtqJ R4Fc5AXTU9MCnNVdBf1DhUh/TqAGnGNLOKfRw4jy5GH9twCzuIytgaKvoJmDbV9PD49U TgOQmfx4surkWyRj0Zk0UJu9mArSOoRLM2dcf+SBrGPXiHWZAHd/K+XHTo0QHExk1YLA zQyxy6G0oCU6DaOWpNw7HJ0tMJaOao3WnlO8j9l4W1ugnUFBiZw6cFzWkjYoVRN749G9 MW2g== Received: by 10.236.161.3 with SMTP id v3mr7581298yhk.128.1334017193730; Mon, 09 Apr 2012 17:19:53 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.146.86.14 with HTTP; Mon, 9 Apr 2012 17:19:13 -0700 (PDT) In-Reply-To: References: Date: Tue, 10 Apr 2012 09:19:13 +0900 X-Google-Sender-Auth: RjNXlh783KzTbj_YuyWJol7y7_g Message-ID: To: Arvids Godjuks Cc: PHP Internals Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] RFC: source files without opening tag From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi, 2012/4/10 Arvids Godjuks : > I have a question - does it really bother people to type the kind*a don't do that for how long, 4-5 years? Every IDE and every damn > decent code editor does that for you. Hell, they even can create a template > file for you! > Some arguments are just plain silly. > > The point about file include attacks on the other hand is valid. Including > code without the and exploiting a vurnelable include to execute the code. On the other hand > you have the problem of BC and libraries with the haven't seen any real discussion about this. And beleve me, this will be > the "WTF?!". I agree. Therefore, current behavior is the default. If newer code written with a little care, the code is compatible for both embedded and non-embedded modes. Those who are not willing to write opening TAG, it is possible a single ini_set() or command line option, too. https://wiki.php.net/rfc/nophptags Comments are welcome. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net > > PHp native templates are also a big factor, i personally do not use any > template engine - plain php is pretty damn good if combined with good tools > (in my case Yii framework provides great stuff to work with). > > The most thing i fear that changing this will add a false sence of > security. If you include a file based on a route (witch we usually do) - > you have to check your input tripple-time and make sure it does not try to > point elsewhere. If not, the people out there will find a way to use thet > vurneability, it just would not be a. gif file, but something else. Not to > say some just configure to run any file as a PHP file.