Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59626
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34576 invoked from network); 10 Apr 2012 08:00:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Apr 2012 08:00:26 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.160.170 mail-gy0-f170.google.com  
Received: from [209.85.160.170] ([209.85.160.170:47837] helo=mail-gy0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FE/69-34074-998E38F4 for <internals@lists.php.net>; Tue, 10 Apr 2012 04:00:26 -0400
Received: by ghbg2 with SMTP id g2so2509347ghb.29
        for <internals@lists.php.net>; Tue, 10 Apr 2012 01:00:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:from:date:x-google-sender-auth:message-id
         :subject:to:content-type;
        bh=a+eSZb0zNhcWYkrt45x4tG2jGEWeR1Z/dD1ZqdOuw5Q=;
        b=iwfKfXpcm6+waqwL1S+ZZOam+68c3dAQ9VWHVHAMURDYM2TehAjZlq1+9l2lkI4pNa
         8FRNV8vUaFT55iDuiZ1DUBevo/GOHPrbZLhrEepMoaECrL9d8pExPdRzQNqdVL4oJZ5/
         oB5hvNG99pjEwDidqHxDK/smGYDdMSj/jS41UUe5YTuURfCWxAhj9d08HcuBiOLRVJO/
         Zg5bUGGOKzNsZrfwFDPoFU4XtQ6h4l086O+K8z4HCRFQ69Be3+VAUwHzYSOqkl+ETGBB
         FYUevz7IDZ6RW1B4BdjaLTK37B/SSPIPphaR5TMXJD480oszxFjlXFht8nQiFQcy0SpF
         q3Mg==
Received: by 10.236.193.39 with SMTP id j27mr8640438yhn.111.1334044823082;
 Tue, 10 Apr 2012 01:00:23 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.146.86.14 with HTTP; Tue, 10 Apr 2012 00:59:42 -0700 (PDT)
Date: Tue, 10 Apr 2012 16:59:42 +0900
X-Google-Sender-Auth: QE6mbbe8FKFF558qmjVD2vl8YwE
Message-ID: <CAGa2bXZ6G=Cphjrde3u1Mq3AAw-4yJk3s28vNe+Aybt2nGTumg@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Disabling PHP tags by php.ini and CLI options
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

This is the RFC as in the title.
Although it's not a direct security measure, but it's related
to critical security problem prevention.

If you are not familiar to how to execute arbitrary PHP code,
steal data from RDBMS via SQL injection and LFI, it may be
interesting.

This RFC will not break any existing code. Programmers
may keep full backward compatibility while getting better
security.

https://wiki.php.net/rfc/nophptags

Please read and give comments.
Thank you.

P.S. This RFC is based on April Fool RFC written by Moriyoshi,
but this is serious RFC.

--
Yasuo Ohgaki
yohgaki@ohgaki.net