Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59607
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 86506 invoked from network); 10 Apr 2012 03:05:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Apr 2012 03:05:03 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 67.192.241.133 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 67.192.241.133 smtp133.dfw.emailsrvr.com Linux 2.6
Received: from [67.192.241.133] ([67.192.241.133:42940] helo=smtp133.dfw.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D0/A0-34074-F53A38F4 for <internals@lists.php.net>; Mon, 09 Apr 2012 23:05:03 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp13.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 6520B3D0041;
	Mon,  9 Apr 2012 23:05:01 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp13.relay.dfw1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 1A9753D00B5;
	Mon,  9 Apr 2012 23:05:01 -0400 (EDT)
Message-ID: <4F83A35C.8040804@sugarcrm.com>
Date: Mon, 09 Apr 2012 20:05:00 -0700
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120313 Thunderbird/11.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <CAORXhGJwmbjw3Zze3+-oFA2Mb_Z-2owVESraNMMs57RzjRRMbA@mail.gmail.com> <-5877502932356715576@unknownmsgid> <CAORXhGLPdAie6UFq+daJhUmDUqp7RaFFLa596XdzdtuCddf0Jw@mail.gmail.com> <-3647345967307864634@unknownmsgid> <CAORXhGKjg_L11dFGNHNfNygDH018=ZhytAy1vH+Ei8QHfry=cA@mail.gmail.com> <CAORXhG+K3XML-47+FDYdL5D717wDX7c59Pz8KgqjcP16+Ad12w@mail.gmail.com> <4F831FAE.2030208@ralphschindler.com> <4775322189440202047@unknownmsgid> <CAORXhGJSG6CJD5EAt_uZ7RjfjM345nfrVQz8t2ep4e3WhCeKMQ@mail.gmail.com> <4F833682.2000301@ralphschindler.com> <CAGa2bXYjJsfo6os_P1OvQ7jfmxeYUkZ+QK5r94nwNUsba-iWLA@mail.gmail.com> <4F833AB0.2060306@sugarcrm.com> <CAGa2bXZQN9brCwHOOkDU+x3hf5dZgqqmv1ZSTJ3VMjSpdda6tA@mail.gmail.com> <4F8348AB.1040305@sugarcrm.com> <CAGa2bXYLTe=ctyFO9AccHOWtmbHHLvLFGRVYWuc6an+Tsy7MeA@mail.gmail.com> <CAGa2bXZeuSZ+PNY_P5GCjYskNwOudpEheqLvOo-gqRuvqR2ZVQ@mail.gmail.com>
In-Reply-To: <CAGa2bXZeuSZ+PNY_P5GCjYskNwOudpEheqLvOo-gqRuvqR2ZVQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] RFC: source files without opening tag
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> LFI risk is unique to PHP. The cause of risk is mandatory embedded script.

No it's not. If you write Python code that loads code from random file
and evaluates it, it will be "vulnerability in Python". If you write in
in Bash, it would be "vulnerability in bash". If you write it in C, it
will be "vulnerability in C". I don't see anything unique to PHP here.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227