Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72576
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64101 invoked from network); 14 Feb 2014 01:02:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Feb 2014 01:02:20 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.178 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.178 mail-lb0-f178.google.com  
Received: from [209.85.217.178] ([209.85.217.178:41760] helo=mail-lb0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D2/00-09050-A1B6DF25 for <internals@lists.php.net>; Thu, 13 Feb 2014 20:02:19 -0500
Received: by mail-lb0-f178.google.com with SMTP id u14so8971383lbd.9
        for <internals@lists.php.net>; Thu, 13 Feb 2014 17:02:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=pYZmHtrHv3ZD2ivs6XiMXZ7z8nzwBn9S6CWhNvXoBAk=;
        b=SyDGQd0Dep/E2fHgXNVXsUJaIxmCa2fJ1APxCWDzOugWgLjsacGuTNjaKPqs4jqRNJ
         VK0ngIomUXbsgEoW31Ehwl8ETLZWUrfNv3Kb5hqK+MJTZQSnjWbU4pFLDnOrBvGRJbTe
         n2Jfa5wUIM4dokp0vBYdCeBH+tbhr0hnBQQB8vU5JwsW7giO7aj6RgrRarNNZJBFQUHQ
         kbYpoqOpPdUWDrSQLfUabGK+Tx/2+qzQRayF6e6detTAztJHRCtrwU5eXQB0k4EJ0NOk
         bR4cJah8KvV19bChRl/gHobGZVEYqRn22NN2iFF1WVuXZcAwg7G+2uM/g4R3zTGUdSDS
         okdQ==
X-Received: by 10.112.204.104 with SMTP id kx8mr2849650lbc.12.1392339735684;
 Thu, 13 Feb 2014 17:02:15 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Thu, 13 Feb 2014 17:01:35 -0800 (PST)
In-Reply-To: <52FD5CB5.7070206@lerdorf.com>
References: <CAGa2bXYU0+eVgnDCkqpG6AWvLCX9gV3+5nzoeD-RJge8Rtw-dQ@mail.gmail.com>
 <CAGa2bXZCBxJczqX6FKz0T0_iV9LzdeHkw46c17NQsanuCCJ9rA@mail.gmail.com>
 <52FBF8F8.5040107@gmail.com> <CAGa2bXb=2fJisj90HY6ojMKmJeFFGbTwn6J1vZayzxBTLz7fBQ@mail.gmail.com>
 <52FCDFBD.80901@lerdorf.com> <CAGa2bXb4Ry6rwaXzjfjfLDzyhb_vgehTKTmadeSHScUCYycEqg@mail.gmail.com>
 <52FD5CB5.7070206@lerdorf.com>
Date: Fri, 14 Feb 2014 10:01:35 +0900
X-Google-Sender-Auth: yxgCzls4wxiOGePJPckz_aOUe8c
Message-ID: <CAGa2bXb0ZOxzhxP5KPorW+Bw8jZtL9QB2XAzwmuBLvPJwjsdyg@mail.gmail.com>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3c7f05a2ca104f2535b8a
Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c3c7f05a2ca104f2535b8a
Content-Type: text/plain; charset=UTF-8

Hi Rasmus,

On Fri, Feb 14, 2014 at 9:00 AM, Rasmus Lerdorf <rasmus@lerdorf.com> wrote:

> Striving to make PHP more secure for neophyte developers is always a
> worthy goal, but it needs to be done in a way that doesn't make things
> worse. I think this particular approach would make things worse by
> needlessly complicating things.
>

I agree that needless complexity should be avoided.
Switching template mode on and off is tricky, although existing codes can be
secured without many lines of change. There are options for LFI mitigation.
There might be convincing solution. I cannot think of one now, though.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c3c7f05a2ca104f2535b8a--