Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59675
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83059 invoked from network); 10 Apr 2012 21:50:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Apr 2012 21:50:04 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com  
Received: from [209.85.161.170] ([209.85.161.170:33233] helo=mail-gx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 65/61-08461-A0BA48F4 for <internals@lists.php.net>; Tue, 10 Apr 2012 17:50:04 -0400
Received: by ggmb2 with SMTP id b2so228692ggm.29
        for <internals@lists.php.net>; Tue, 10 Apr 2012 14:49:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:content-type;
        bh=SvzbtE9oIaWiBfSy1oU3IXLQse0Ve7NnOjqKuT94cJg=;
        b=sMM+1J6DzHmOgSJ9hrmJ26zOsEA5dPMqskWDb7Eh+25s8faaXTWSBL829V2C/9K932
         rc0dP7y8imthStwgnt+0C57XcDTYXc7DDoLHEUfBdd9O/CZy3Ztev6BPDgN2JPSENybe
         8W8+UFLUir45btk/1m1M5+m4aK42wcIyM17/X8pDCJxD9+3I7Dtdhz+EpRYoakzNEQyT
         /xltxNOygQYxNBtEprRkSB7v9PPYAS/1hwVjiuHTkFq0ZXjkOkKx0TB3wzdX+bmUqy61
         T17ao3jV9esa5EA9M/0brfZAd5QrShLA6aVXke9M+i9XFLvT///axINX6qK4doUy94qt
         DV8w==
Received: by 10.100.200.4 with SMTP id x4mr3404039anf.6.1334094599360; Tue, 10
 Apr 2012 14:49:59 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.146.86.14 with HTTP; Tue, 10 Apr 2012 14:49:19 -0700 (PDT)
In-Reply-To: <CAGa2bXZh4uMeUH_BSCFmfNgxS-SZC0svA9BPcSROjwmbfrtFyQ@mail.gmail.com>
References: <CAGa2bXZ6G=Cphjrde3u1Mq3AAw-4yJk3s28vNe+Aybt2nGTumg@mail.gmail.com>
 <CAGa2bXZh4uMeUH_BSCFmfNgxS-SZC0svA9BPcSROjwmbfrtFyQ@mail.gmail.com>
Date: Wed, 11 Apr 2012 06:49:19 +0900
X-Google-Sender-Auth: 6XzEbJhSyM9zEj3vPC36BWu9RTA
Message-ID: <CAGa2bXbhi4zdgd9Udo6KsoycDwg_Ke0Xe5h3_-fVDMvn_VfAjQ@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: Disabling PHP tags by php.ini and CLI options
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi,

It seems motivation of this RFC is better to be stated.
Motivation to have this RFC is

1. "File Includes" is fatal security breach.
2. The reason why PHP is unsecure to "File Include" than other
language is "Mandatory embed mode"
3. Non mandatory embed mode gives option users to better security.

With this RFC, PHP could be as safe as other scripting languages
with respect to file includes. This RFC is fully compatible with current
code. Writing backward compatible code is as few as 3 lines.

Most of security measures are not perfect solutions, but
mitigation, just like canary and DEP. I suppose people who are
concerned with security understand the value of these protections.

Is there any good reasons not to have non mandatory embed
mode as a additional security measure? Why not to make it harder
for attackers to exploit?

In short, I'm really annoyed to hear "PHP is insecure than
Ruby/Perl/Python/etc"

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net