Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72458
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 87811 invoked from network); 11 Feb 2014 17:42:58 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Feb 2014 17:42:58 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.48 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.48 mail-la0-f48.google.com  
Received: from [209.85.215.48] ([209.85.215.48:36151] helo=mail-la0-f48.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9A/35-62230-0216AF25 for <internals@lists.php.net>; Tue, 11 Feb 2014 12:42:57 -0500
Received: by mail-la0-f48.google.com with SMTP id mc6so6073286lab.7
        for <internals@lists.php.net>; Tue, 11 Feb 2014 09:42:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=8npwevoizYRKVOwUdAGdhb0EopoeqOOB4ha2ZSagAFs=;
        b=0lx1BD1AVE4x9C3kw1mfRf78MFSKNtGQLhfoNa0xhhsrQSyw3R02Zxs4nyDLvEus7Y
         8m3UjxaRasMpoZV6IzymQAx0lLTLaT3CI4MBmv0S+LTxKOI6EV7N0jA1N/vJb9BtmPTw
         UhwxkGdsQjIjD2qcSt59dCgYJE2ixJetUrMIXkgqwzVUk8nI0O8BGuzMpDKqNASuKutx
         KUuEDV/7NHvVxkKpTKWNrBg4V9h92kYuQsp1/wuHhNvwLar+Iw7YCACJxrizW+HYPM7H
         KccpVHJaijE2ldR4EZBKjPtLP+pZ1vLsU8J4B9xpEYq3eavwmlfIrmIWqc09NzlOLrKf
         6pQg==
X-Received: by 10.112.189.68 with SMTP id gg4mr25722419lbc.18.1392140573783;
 Tue, 11 Feb 2014 09:42:53 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Tue, 11 Feb 2014 09:42:13 -0800 (PST)
In-Reply-To: <CAGa2bXYU0+eVgnDCkqpG6AWvLCX9gV3+5nzoeD-RJge8Rtw-dQ@mail.gmail.com>
References: <CAGa2bXYU0+eVgnDCkqpG6AWvLCX9gV3+5nzoeD-RJge8Rtw-dQ@mail.gmail.com>
Date: Wed, 12 Feb 2014 02:42:13 +0900
X-Google-Sender-Auth: eBMG_hzLpIDN8gfT7qifgm9KRCs
Message-ID: <CAGa2bXZCBxJczqX6FKz0T0_iV9LzdeHkw46c17NQsanuCCJ9rA@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3685860be3504f224fc12
Subject: Re: [RFC] No PHP tags
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c3685860be3504f224fc12
Content-Type: text/plain; charset=UTF-8

Hi all,

Let me rephrase. Does anyone argue that the fact

Local script inclusion is *much grater security threat* than local script
expose.

"Local script expose" is the only drawback of this RFC.
Currently, insecure include()/require() allows script execution.
With this RFC, insecure include()/require() may allow script expose.

Latter is obvious error as it shows wrong behavior while script execution
is
not obvious at all. If user care to script expose, they can simply add
"<?php"
at the top of script as it is now.

We can make secure program with register_globals=On as well as embed
everything by default. The same argument applies here. IMHO.


--
Yasuo Ohgaki
yohgaki@ohgaki.net


On Mon, Feb 10, 2014 at 4:35 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi all,
>
> "Optional PHP tags by php.ini and CLI options" RFC has been discussed very
> long time.
>
> https://wiki.php.net/rfc/nophptags
>
> I would like to know is there anyone who would like not to have
> this. I think it's good counter measure for LFI, but you might have
> different perspective.
>
> If it is possible, I would like to address as much as opinions possible
> before voting.
>
> Are there anyone who think we should have this?
> What is the reason?
>
> Thank you
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>
>

--001a11c3685860be3504f224fc12--