Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72491 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 69085 invoked from network); 12 Feb 2014 02:17:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Feb 2014 02:17:04 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.46 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.46 mail-la0-f46.google.com Received: from [209.85.215.46] ([209.85.215.46:35242] helo=mail-la0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F0/62-55284-F99DAF25 for ; Tue, 11 Feb 2014 21:17:03 -0500 Received: by mail-la0-f46.google.com with SMTP id b8so6512637lan.19 for ; Tue, 11 Feb 2014 18:17:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=3xZZt4c+il7XSA4iUKawfb0aX3etn8e2pMkedHwqrrA=; b=e6xPMLl+L5X2JsFW92MmK7PTVTgecXxaJKXKBpqCXB5qbtn0NrPELm+fhcKlF3h+Yv tRsfLFnWbE8pxrrtrjCq90oJ8mKjDJT6LZjBjHHR2aC7E7YmUlYJKUJNqj931+44G/xg P4hkBIPuUn6mpRwTXHv2M5XxoCWP3khuQHltbN2fPHEOJCrE+FxDUiYS2B1HoW6rVUS1 YqLVt8wfge41isCSmjaph/GtdVONdufGDKRD7f0ZCWpvgB50HBePQaBHGUQFdEuk5TPz FkgjLb6M1Q+VKFPEUcOFtngR0d3UpxPrHnA/w58ujnAcwy3+hjk/nDG6waPjA7twYqUN 9BJw== X-Received: by 10.112.63.193 with SMTP id i1mr168246lbs.54.1392171420352; Tue, 11 Feb 2014 18:17:00 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Tue, 11 Feb 2014 18:16:20 -0800 (PST) In-Reply-To: <52FACE5D.4060102@lerdorf.com> References: <52FA67A4.3030708@lerdorf.com> <52FACE5D.4060102@lerdorf.com> Date: Wed, 12 Feb 2014 11:16:20 +0900 X-Google-Sender-Auth: esWVCTzT4Ch9ReXFNBrDcHYyBw0 Message-ID: To: Rasmus Lerdorf Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c3fd10fa08a704f22c2aeb Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c3fd10fa08a704f22c2aeb Content-Type: text/plain; charset=UTF-8 Hi Rasmus, On Wed, Feb 12, 2014 at 10:29 AM, Rasmus Lerdorf wrote: > On 2/11/14, 3:33 PM, Yasuo Ohgaki wrote: > > I forgot to mention 2nd. I usually disable engine for upload directory > > by httpd.conf > > or do not allow to upload anything under webroot. > > Right, you don't put your upload dir under your webroot. Even with php > disabled, you wouldn't want your upload dir in your web root since the > bad guys could upload nasty javascript or other interesting things and > xss/csrf your users through that. > > As for LFI, I usually just set my open_basedir to the directories I know > my application will access files from. So even if I make a mistake > somewhere, the bad guys won't be able to trick any of my includes into > including any other files. This seems like a much simpler and more > effective way to combat LFI than introducing a template mode. I agree completely . Sorry that the RFC was hard to read. I reorganized the RFC. script() and script_once() will solve most of LFI issue. I added "Open Issue" section. I think all we have to consider is whether we allow a little inconsistency for directly called scripts or not. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c3fd10fa08a704f22c2aeb--