Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59696 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24827 invoked from network); 11 Apr 2012 00:53:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Apr 2012 00:53:25 -0000 Authentication-Results: pb1.pair.com header.from=johncrenshaw@priacta.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=johncrenshaw@priacta.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain priacta.com designates 64.95.72.241 as permitted sender) X-PHP-List-Original-Sender: johncrenshaw@priacta.com X-Host-Fingerprint: 64.95.72.241 mxout.myoutlookonline.com Received: from [64.95.72.241] ([64.95.72.241:40317] helo=mxout.myoutlookonline.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 77/38-18401-306D48F4 for ; Tue, 10 Apr 2012 20:53:24 -0400 Received: from mxout.myoutlookonline.com (localhost [127.0.0.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id 67B398BE09A; Tue, 10 Apr 2012 20:53:21 -0400 (EDT) X-Virus-Scanned: by SpamTitan at mail.lan Received: from HUB013.mail.lan (unknown [10.110.2.1]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mxout.myoutlookonline.com (Postfix) with ESMTPS id 12CF78BE090; Tue, 10 Apr 2012 20:53:21 -0400 (EDT) Received: from MAILR001.mail.lan ([10.110.18.28]) by HUB013.mail.lan ([10.110.17.13]) with mapi; Tue, 10 Apr 2012 20:52:58 -0400 To: Yasuo Ohgaki , "internals@lists.php.net" Date: Tue, 10 Apr 2012 20:53:13 -0400 Thread-Topic: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options Thread-Index: Ac0XZs/7LFuYsAAFR+2cH+xHEvcgLwAEsZxw Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: RE: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options From: johncrenshaw@priacta.com (John Crenshaw) From: yohgaki@gmail.com [mailto:yohgaki@gmail.com] On Behalf Of Yasuo Ohgak= i >=20 > Hi, > > It seems motivation of this RFC is better to be stated. > Motivation to have this RFC is > > 1. "File Includes" is fatal security breach. > 2. The reason why PHP is unsecure to "File Include" than other language i= s "Mandatory embed mode" > 3. Non mandatory embed mode gives option users to better security. > > With this RFC, PHP could be as safe as other scripting languages with res= pect to file includes. This RFC is fully compatible with current code. Writ= ing backward compatible code is as few as 3 lines. No, I understood the reasons, but I reject the assumption that you are maki= ng. The "embed mode" doesn't have a measurable impact on the security of th= is system. The vulnerable code can be exploited in countless ways with or w= ithout embed mode. > Most of security measures are not perfect solutions, but mitigation, just= like canary and DEP. I suppose people who are concerned with security unde= rstand the value of these protections. Look, I'm the first to stand up for improved security, but that's now what = we have here. Just calling this a security improvement doesn't make it true= . > Is there any good reasons not to have non mandatory embed mode as a addit= ional security measure? Why not to make it harder for attackers to exploit? Yes. This fundamentally breaks the language. PHP was first and foremost a t= emplate language. In fact, the strong template integration is a huge part o= f why one would build a web site in PHP, not C++. > In short, I'm really annoyed to hear "PHP is insecure than Ruby/Perl/Pyth= on/etc" Anyone who says this is wrong. Ruby is in fact far less secure, because it = doesn't even have cursory escaping functions and a variety of unpredictable= behaviors (implicit returns) can lead to wild results. John Crenshaw Priacta, Inc.