Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72496 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84303 invoked from network); 12 Feb 2014 06:27:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Feb 2014 06:27:06 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.182 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.182 mail-lb0-f182.google.com Received: from [209.85.217.182] ([209.85.217.182:61476] helo=mail-lb0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E4/B1-07280-9341BF25 for ; Wed, 12 Feb 2014 01:27:06 -0500 Received: by mail-lb0-f182.google.com with SMTP id w7so6893904lbi.27 for ; Tue, 11 Feb 2014 22:27:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=hiwnKEWHsVMG4Jpc461kArtDbuxYS8tyzzSKyHT75L0=; b=xfJQljvWMHsE06+J/7TtaM+ykb/XK+D1+mM6tDD2yvz9bDoz/ntXbp3zOfYLT7ny8V 0EE0rKQU/u+dHrabfiIWDgIcNLYQALfDgGM9vDRyFDbeBapjRnpQ1/OP2uOcBE+MapFV KdpxnnaxnDeUlHQ0s2c/CxlV73UV2eZBdp4qV+dK3xuVwLXcT2nxEJxYZl7ZXSmdYT1n hb9bVBNuDWEQQ1gHt/lclt38Tv/xjpRSqFFwc0rL51ms4m1PPasP0EUcp5em2FkUBRY6 RPKs14i/0cM+esXuxdncU8jHRwdNg7lBl1b9TEdsl87/OyRKfDM9Rra5ARnEaUMXy5Sl xf5w== X-Received: by 10.152.1.130 with SMTP id 2mr200345lam.88.1392186422044; Tue, 11 Feb 2014 22:27:02 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Tue, 11 Feb 2014 22:26:21 -0800 (PST) In-Reply-To: <52FB0920.8040903@lsces.co.uk> References: <52FA67A4.3030708@lerdorf.com> <52FAB58E.3080701@lsces.co.uk> <52FB0920.8040903@lsces.co.uk> Date: Wed, 12 Feb 2014 15:26:21 +0900 X-Google-Sender-Auth: SNjHR3ArToTtHlFBiZuPjGypC3Y Message-ID: To: Lester Caine Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e013c674e25abb104f22fa95f Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e013c674e25abb104f22fa95f Content-Type: text/plain; charset=UTF-8 Hi Lester, On Wed, Feb 12, 2014 at 2:39 PM, Lester Caine wrote: > LFI is the one that will allow corrupted files containing .php tags to run > if you have not taken care of them while they are being uploaded. ONLY > permanently disabling embedding will guarantee that these files do not get > accidentally loaded. i.e. 'changes the spirit of PHP too much' ... > > ---- > function render_template($template, $template_vars) { > ini_set('template_mode', 'on'); // Older PHP ignores > include($template, $template_vars); // Or use any other method to > render. > > ini_set('template_mode', 'off'); // Older PHP ignores > } > ---- > > Simply pushes the problem around a little and still requires that > '$template' does not point at a file that contains embedded nasties? > include($template.'.php', $template_vars); does the job a lot easier? > Since current PHP has null byte attack protection, this is good enough protection. I agree. The objectives of this RFC is to make PHP as secure as other languages. Other language developers do the same silly mistakes, yet almost all of them were not considered as "critical security issues" unlike PHP. This is what I would like to change. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e013c674e25abb104f22fa95f--