Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72462 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98912 invoked from network); 11 Feb 2014 18:11:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Feb 2014 18:11:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.169 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.169 mail-lb0-f169.google.com Received: from [209.85.217.169] ([209.85.217.169:39741] helo=mail-lb0-f169.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FB/B7-62230-3E76AF25 for ; Tue, 11 Feb 2014 13:11:48 -0500 Received: by mail-lb0-f169.google.com with SMTP id q8so6351289lbi.28 for ; Tue, 11 Feb 2014 10:11:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=aZp5y8MmwoolkoK6LuwZ6rPdFddEsQM2F+t3+VycTHI=; b=aeWdt0a/4xRM4Pmas37X1Pak1+o6TpjZenxV9SimCKdbSUMGXkfURJuVki1a5JVmx5 bqDk5u8rUASHKrnbbe718aQzmatQswbJAe+7cR7EAfpLnBkTwbBVcdGoztYl9CeW03r2 HLfKUrf0t1ypM4sBbqKTQzPzor+2WvaDJmRcjzR3yOmagACvGV4yo5T6XObEHuaJY4IC kIhjtqFxE2txhDKs1M9tq6+k2XsImc4ArAcCnDKFKrkh/2H9YTncyijcGPKrOEJET4qz d/uFPmVEIPSXp2hID+7xezSbuy16Lzzyeu1LpSBlZvtNyjJwyi8Omtqexb+bEsZS0Sxt +ynA== X-Received: by 10.152.36.70 with SMTP id o6mr27127010laj.7.1392142304934; Tue, 11 Feb 2014 10:11:44 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Tue, 11 Feb 2014 10:11:03 -0800 (PST) In-Reply-To: References: Date: Wed, 12 Feb 2014 03:11:03 +0900 X-Google-Sender-Auth: PwkOVTQ-QdgsVuC29BH4ZjFvzSw Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0160b61890008d04f2256317 Subject: Re: [RFC] No PHP tags From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0160b61890008d04f2256317 Content-Type: text/plain; charset=UTF-8 Hi all, Let me rephrase more accurately. Does anyone argue that following fact is debatable? Local script inclusion is *much grater security threat* than local script expose. "Local script expose" is the only drawback of this RFC. Currently, insecure include()/require() allows script execution. With this RFC, insecure include()/require() may allow script expose. If users care to script expose, they can simply add " wrote: > Hi all, > > Let me rephrase. Does anyone argue that the fact > > Local script inclusion is *much grater security threat* than local script > expose. > > "Local script expose" is the only drawback of this RFC. > Currently, insecure include()/require() allows script execution. > With this RFC, insecure include()/require() may allow script expose. > > Latter is obvious error as it shows wrong behavior while script execution > is > not obvious at all. If user care to script expose, they can simply add > " at the top of script as it is now. > > We can make secure program with register_globals=On as well as embed > everything by default. The same argument applies here. IMHO. > > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > > > On Mon, Feb 10, 2014 at 4:35 PM, Yasuo Ohgaki wrote: > >> Hi all, >> >> "Optional PHP tags by php.ini and CLI options" RFC has been discussed >> very long time. >> >> https://wiki.php.net/rfc/nophptags >> >> I would like to know is there anyone who would like not to have >> this. I think it's good counter measure for LFI, but you might have >> different perspective. >> >> If it is possible, I would like to address as much as opinions possible >> before voting. >> >> Are there anyone who think we should have this? >> What is the reason? >> >> Thank you >> >> -- >> Yasuo Ohgaki >> yohgaki@ohgaki.net >> >> > --089e0160b61890008d04f2256317--