Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72468
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11884 invoked from network); 11 Feb 2014 19:22:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Feb 2014 19:22:57 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.204 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.204 mail4.serversure.net Linux 2.6
Received: from [217.147.176.204] ([217.147.176.204:40425] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0A/6A-62230-E887AF25 for <internals@lists.php.net>; Tue, 11 Feb 2014 14:22:55 -0500
Received: (qmail 14558 invoked by uid 89); 11 Feb 2014 19:22:51 -0000
Received: by simscan 1.3.1 ppid: 14551, pid: 14554, t: 0.0619s
         scanners: attach: 1.3.1 clamav: 0.96/m:52
Received: from unknown (HELO linux-dev4.lsces.org.uk) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 11 Feb 2014 19:22:51 -0000
Message-ID: <52FA7957.2090001@lsces.co.uk>
Date: Tue, 11 Feb 2014 19:26:15 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAGa2bXYU0+eVgnDCkqpG6AWvLCX9gV3+5nzoeD-RJge8Rtw-dQ@mail.gmail.com> <CAGa2bXZCBxJczqX6FKz0T0_iV9LzdeHkw46c17NQsanuCCJ9rA@mail.gmail.com>
In-Reply-To: <CAGa2bXZCBxJczqX6FKz0T0_iV9LzdeHkw46c17NQsanuCCJ9rA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags
From: lester@lsces.co.uk (Lester Caine)

Yasuo Ohgaki wrote:
> Let me rephrase. Does anyone argue that the fact
> Local script inclusion is *much grater security threat* than local script
> expose.

Since I'm happy to make my scripts available anyway. Exposure is irrelevant. 
Hackers can see how the code is constructed and see that there is little point 
trying to attack me via local script inclusion simply because I do not allow any 
uploaded files to be used within the live code. And

But what I don't understand here is why only pure code pages are a risk? Many of 
the included files on the sites I'm managing have embedded html so they need the 
tags to be active. Header and footer blocks are more html than php and use <?= 
?> tags to embed variable data along with (now) <?php ?> for the heavier 
processes. Surely it's just as easy to be naughty inside a block as it is simply 
providing a hacked page of script? That is if you have unsafe code ... surely 
switching off just one '<?php' will only happen on sites that are already safe 
anyway?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk