Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72616 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 10186 invoked from network); 14 Feb 2014 23:53:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Feb 2014 23:53:50 -0000 Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.215.10 cause and error) X-PHP-List-Original-Sender: johannes@schlueters.de X-Host-Fingerprint: 217.114.215.10 mail.experimentalworks.net Received: from [217.114.215.10] ([217.114.215.10:47912] helo=mail.experimentalworks.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8B/5F-34645-D8CAEF25 for ; Fri, 14 Feb 2014 18:53:49 -0500 Received: from [192.168.2.31] (ppp-88-217-82-225.dynamic.mnet-online.de [88.217.82.225]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: johannes@schlueters.de) by mail.experimentalworks.net (Postfix) with ESMTPSA id 810DE462F5; Sat, 15 Feb 2014 00:54:25 +0100 (CET) To: Yasuo Ohgaki Cc: Rowan Collins , "internals@lists.php.net" In-Reply-To: References: <52FBF8F8.5040107@gmail.com> <52FE4DF0.3040906@gmail.com> Content-Type: text/plain; charset="UTF-8" Date: Sat, 15 Feb 2014 00:53:44 +0100 Message-ID: <1392422024.3990.133.camel@guybrush> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=) On Sat, 2014-02-15 at 07:28 +0900, Yasuo Ohgaki wrote: > 3) the include was intended to be non-PHP data, and the attacker > substitutes PHP code of their choice > 4) the include was intended to be non-PHP data, and the attacker accesses > different non-PHP data already on server People using the wrong feature won't be fixed by adding yet another way to open a file. johannes