Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59729 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 20842 invoked from network); 11 Apr 2012 09:34:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Apr 2012 09:34:50 -0000 Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 213.123.20.131 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 213.123.20.131 c2bthomr13.btconnect.com Received: from [213.123.20.131] ([213.123.20.131:3734] helo=mail.btconnect.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C9/91-07919-730558F4 for ; Wed, 11 Apr 2012 05:34:48 -0400 Received: from host81-138-11-136.in-addr.btopenworld.com (EHLO _10.0.0.5_) ([81.138.11.136]) by c2bthomr13.btconnect.com with ESMTP id HAN64614; Wed, 11 Apr 2012 10:34:44 +0100 (BST) Message-ID: <4F855033.2070801@lsces.co.uk> Date: Wed, 11 Apr 2012 10:34:43 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120312 Firefox/11.0 SeaMonkey/2.8 MIME-Version: 1.0 To: PHP internals References: <4F850D06.10701@sugarcrm.com> <4F8515AF.8060706@sugarcrm.com> <4F851FE4.7000706@sugarcrm.com> <4F8539E0.1090701@sugarcrm.com> In-Reply-To: <4F8539E0.1090701@sugarcrm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mirapoint-IP-Reputation: reputation=Fair-1, source=Queried, refid=tid=0001.0A0B0303.4F855033.010B, actions=tag X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2012.4.5.53315:17:7.944, ip=81.138.11.136, rules=__MOZILLA_MSGID, __HAS_MSGID, __SANE_MSGID, __USER_AGENT, __MIME_VERSION, __TO_MALFORMED_2, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __SUBJ_ALPHA_END, __CT, __CT_TEXT_PLAIN, __CTE, URI_ENDS_IN_PHP, __ANY_URI, __URI_NO_MAILTO, __CP_URI_IN_BODY, BODY_SIZE_1300_1399, BODYTEXTP_SIZE_3000_LESS, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, RDNS_SUSP, BODY_SIZE_2000_LESS, BODY_SIZE_7000_LESS X-Junkmail-Status: score=10/50, host=c2bthomr13.btconnect.com X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B0205.4F855034.00C7:SCFSTAT14830815,ss=1,re=-4.000,fgs=0, ip=0.0.0.0, so=2011-07-25 19:15:43, dmn=2011-05-27 18:58:46, mode=multiengine X-Junkmail-IWF: false Subject: Re: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options From: lester@lsces.co.uk (Lester Caine) Stas Malyshev wrote: >> PHP could be stronger against LFI compare to scripting languages >> > as I described in previous mail. > PHP is as strong as any other language right now - if you include > user-supplied code, you lost, don't do it - no problem. > >> > With this RFC, infamous reputation of LFI can be removed from PHP! > I see no "infamous reputation" except the wrong one you are creating > right now. include with user-supplied argument is a security hole, it > has nothing to do with vulnerability in PHP. Some evidence that this is an 'infamous' problem would be useful. I certainly can only see old references to the null byte problem used for LFI which was fixed in 5.3.4 but it's impossible to remove all the 'bad practices' from tutorials on the internet which create many of the problems in the first place? Certainly I can't see anything which suggests that disabling the PHP tags would do anything for LFI? I would hope that my own sites follow the right rules to prevent any problems already ... -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk// Firebird - http://www.firebirdsql.org/index.php