Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72490 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66541 invoked from network); 12 Feb 2014 01:29:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Feb 2014 01:29:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.216.179 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 209.85.216.179 mail-qc0-f179.google.com Received: from [209.85.216.179] ([209.85.216.179:63684] helo=mail-qc0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 79/F1-55284-36ECAF25 for ; Tue, 11 Feb 2014 20:29:08 -0500 Received: by mail-qc0-f179.google.com with SMTP id e16so14207173qcx.38 for ; Tue, 11 Feb 2014 17:29:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=81HR6NpM5sQ/wEy3CI4gub3DWrUPc7NCwX3McXBPbPc=; b=XHjRZKCul+Da2bagj3873WusaLIlGKAK7+SvYahX5CBPUEX4LlJ7hMEizrvGU7k4X9 4BuA+OA4GDGYlfyF7AThu/TuSkiKrpv0/+SuAjNRqglErFyAug2QiIJj/DY1+d3Nx1Cy S0hfH74t2s9Y8Q9xdbMQmF0BugSk0+9uJFaxLcQ3Mr/InxusM5LfSjuOmqpyBefk/oox eoZI4ucbj98B34qqNwjapgaGQFguyC9VaGfiYsI0cHrMhDQnuresp3LZ6FVlZ/OaVSDr qxEWLHBSHaRB8UUPOO1KUnApRfBGy7uRBSXXAHkJIVgks7CuLd2U7iB2T9ePAJe1Q/dK ROhA== X-Gm-Message-State: ALoCoQlbSY44UMLq+byBWpa8q8lrVyFG5rz15GFkr5VTdoNqAGeSZxo2yH6TbGl8Z3/NT3D12wSL X-Received: by 10.140.83.203 with SMTP id j69mr24921885qgd.42.1392168544955; Tue, 11 Feb 2014 17:29:04 -0800 (PST) Received: from [192.168.200.30] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225]) by mx.google.com with ESMTPSA id r7sm31434218qgr.17.2014.02.11.17.29.03 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 11 Feb 2014 17:29:03 -0800 (PST) Message-ID: <52FACE5D.4060102@lerdorf.com> Date: Tue, 11 Feb 2014 17:29:01 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Yasuo Ohgaki CC: "internals@lists.php.net" References: <52FA67A4.3030708@lerdorf.com> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="skCQOkSUsVBasHJLFu2EjreL2jrqj9ABQ" Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags From: rasmus@lerdorf.com (Rasmus Lerdorf) --skCQOkSUsVBasHJLFu2EjreL2jrqj9ABQ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 2/11/14, 3:33 PM, Yasuo Ohgaki wrote: > I forgot to mention 2nd. I usually disable engine for upload directory > by httpd.conf > or do not allow to upload anything under webroot. Right, you don't put your upload dir under your webroot. Even with php disabled, you wouldn't want your upload dir in your web root since the bad guys could upload nasty javascript or other interesting things and xss/csrf your users through that. As for LFI, I usually just set my open_basedir to the directories I know my application will access files from. So even if I make a mistake somewhere, the bad guys won't be able to trick any of my includes into including any other files. This seems like a much simpler and more effective way to combat LFI than introducing a template mode. -Rasmus --skCQOkSUsVBasHJLFu2EjreL2jrqj9ABQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iEYEARECAAYFAlL6zl4ACgkQlxayKTuqOuB8mACdHak9g/aeQEPUfqETn2n1uYTl cNQAnRGK4W8NGOP7cDArD1gqPLsDygZs =wVxa -----END PGP SIGNATURE----- --skCQOkSUsVBasHJLFu2EjreL2jrqj9ABQ--