Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59609 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 89294 invoked from network); 10 Apr 2012 03:12:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 Apr 2012 03:12:57 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com Received: from [209.85.161.170] ([209.85.161.170:63552] helo=mail-gx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CD/31-34074-735A38F4 for ; Mon, 09 Apr 2012 23:12:56 -0400 Received: by ggmb2 with SMTP id b2so2461550ggm.29 for ; Mon, 09 Apr 2012 20:12:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=C0sxq5XN9+71EMhSr0D1ynSE5AQxATg8RuYeZEzLm9Q=; b=EvYPS9pOTHeL4Qiy2dA/ltfwbyeLeqAoF8BLpGEPzBadv6GY03OoRxffLdAdXfIoYw 1/MzNfmyosrG0RUYrz9ZRuCpJdNf/EH0iGVQKmxouXHJZbdQ8W1KtyNDNYajOu2cIJYO WTbRBnEmlr52/bB+vqJiaJAywvhOTRLib2d/neSrXLFyUznziTvg3uphbTzAR99t7P3f jacAgbP7bDOWM3vFq9pNWbQUJvA0DI3ZGHDzINZkZ/89Lq+SEmMkEdWlojDAINObKQGa Q/iNh93vqfaqmr0u6rI+BggCkPIF/Tp9PXAV2B7KZ82fMncyal057KIy3va44hp0DlmA CK4Q== Received: by 10.236.193.39 with SMTP id j27mr8072779yhn.111.1334027572912; Mon, 09 Apr 2012 20:12:52 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.146.86.14 with HTTP; Mon, 9 Apr 2012 20:12:12 -0700 (PDT) In-Reply-To: <4F83A35C.8040804@sugarcrm.com> References: <-5877502932356715576@unknownmsgid> <-3647345967307864634@unknownmsgid> <4F831FAE.2030208@ralphschindler.com> <4775322189440202047@unknownmsgid> <4F833682.2000301@ralphschindler.com> <4F833AB0.2060306@sugarcrm.com> <4F8348AB.1040305@sugarcrm.com> <4F83A35C.8040804@sugarcrm.com> Date: Tue, 10 Apr 2012 12:12:12 +0900 X-Google-Sender-Auth: t0yGQ8ZNFZOJLJujwCxD7wcXpe0 Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] RFC: source files without opening tag From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi, 2012/4/10 Stas Malyshev : > Hi! > >> LFI risk is unique to PHP. The cause of risk is mandatory embedded script. > > No it's not. If you write Python code that loads code from random file > and evaluates it, it will be "vulnerability in Python". If you write in > in Bash, it would be "vulnerability in bash". If you write it in C, it > will be "vulnerability in C". I don't see anything unique to PHP here. Thank you for pointing out the incorrect statement. I know the condition to allow LFI for Perl/Ruby, also. LFI with PHP is just too easy :) As I wrote in the RFC, PHP would be better as safe as other major languages. Better means it is not a mandatory. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net