Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60471
Return-Path: <ceo@l-i-e.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 60115 invoked from network); 5 May 2012 16:38:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 May 2012 16:38:36 -0000
Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain l-i-e.com designates 67.139.134.202 as permitted sender)
X-PHP-List-Original-Sender: ceo@l-i-e.com
X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2)
Received: from [67.139.134.202] ([67.139.134.202:4077] helo=o2.hostbaby.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C6/45-30075-B8755AF4 for <internals@lists.php.net>; Sat, 05 May 2012 12:38:36 -0400
Received: (qmail 10023 invoked by uid 98); 5 May 2012 16:38:35 -0000
Received: from localhost by o2.hostbaby.com (envelope-from <ceo@l-i-e.com>, uid 1013) with qmail-scanner-2.05 
 ( 
 Clear:RC:1(127.0.0.1):. 
 Processed in 0.037324 secs); 05 May 2012 16:38:35 -0000
Received: from localhost (HELO www.l-i-e.com) (127.0.0.1)
  by localhost with SMTP; 5 May 2012 16:38:34 -0000
Received: from webmail
        (SquirrelMail authenticated user ceo@l-i-e.com)
        by www.l-i-e.com with HTTP;
        Sat, 5 May 2012 11:38:34 -0500
Message-ID: <34bba9dbe01263f93d7a91c3f11e289a.squirrel@www.l-i-e.com>
In-Reply-To: <4F8515AF.8060706@sugarcrm.com>
References:
    <CAGa2bXZ6G=Cphjrde3u1Mq3AAw-4yJk3s28vNe+Aybt2nGTumg@mail.gmail.com>
    <CAGa2bXZh4uMeUH_BSCFmfNgxS-SZC0svA9BPcSROjwmbfrtFyQ@mail.gmail.com>
    <CAGa2bXbhi4zdgd9Udo6KsoycDwg_Ke0Xe5h3_-fVDMvn_VfAjQ@mail.gmail.com>
    <A633CF2D7C7BED41B41F1E64F25507B806A5CDD6C2@MAILR001.mail.lan>
    <CAGa2bXZKfQ+HqOucwOnBH7gV84hpdxZb5qNY3t3ThF_zMKSGHw@mail.gmail.com>
    <4F850D06.10701@sugarcrm.com>
    <CAGa2bXZWrRh8RdMtKK_2_U_XmByC-O6hGRPrJyW5KwvE0CAK-w@mail.gmail.com>
    <4F8515AF.8060706@sugarcrm.com>
Date: Sat, 5 May 2012 11:38:34 -0500
To: "internals@lists.php.net" <internals@lists.php.net>
User-Agent: SquirrelMail/1.4.21 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options
From: ceo@l-i-e.com ("Richard Lynch")

On Wed, April 11, 2012 12:25 am, Stas Malyshev wrote:
> Hi!
>
>> I'm sure you have seen the same code in JSON hijack countermeasure.
>>
>> while(1){}
>
> I think you misunderstood what I means. What I meant is you can inject
> code without <? the same way you can inject code with <?, so where's
> the
> improvement?
> kill() function would be just an example of code being injected by
> hostile third party (intent on killing your server, presumably). If I
> can inject it with <?, what prevents me from injecting without <? ?

Actually, it makes it worse.

I can search for '<?php' (no short open tags) or '<?=' and reject
without the new feature.

Without the new feature, no easy way to detect it contains PHP code.

-- 
brain cancer update:
http://richardlynch.blogspot.com/search/label/brain%20tumor
Donate:
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE