Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:81863
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 72917 invoked from network); 5 Feb 2015 06:05:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Feb 2015 06:05:44 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.43 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.216.43 mail-qa0-f43.google.com  
Received: from [209.85.216.43] ([209.85.216.43:56352] helo=mail-qa0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0C/F2-51979-73803D45 for <internals@lists.php.net>; Thu, 05 Feb 2015 01:05:43 -0500
Received: by mail-qa0-f43.google.com with SMTP id v10so4611571qac.2
        for <internals@lists.php.net>; Wed, 04 Feb 2015 22:05:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=0iHBCLzhO125KDFbBbh04xL8w2bgvZtXImT1lQKINpw=;
        b=wrCK2MrvPckidU1EDsM1htvw+n3OY4dZQlMOKhFL8wo1103WhjpKtU2zPyFeXymPbl
         E4/rlZ/VYUCamdoxZ8hqQUj/hp9+bHn6bitbxPo7VghVOCiagfPqOb7IryUZT/ykqsdS
         vrdLp8Ad5IxG8f/XHCeZ4wbinUt/9JAtZHmasmShWSxPgehi2JhAJRB3wb89VuNOlHup
         L9Tz+oucXxPMmGnEJG70eTFapVG4I5kvZq1D41eL6a3prKcf/rYqfolwbQVOCcLm3pXN
         YYAQtOdcSDKvLQQF4lkpIbU6T2gOn9zLkpodMr7lB7me29QxkJfc70PkSKFdWNrSzLIH
         TLkw==
MIME-Version: 1.0
X-Received: by 10.140.95.179 with SMTP id i48mr4851738qge.4.1423116340664;
 Wed, 04 Feb 2015 22:05:40 -0800 (PST)
Received: by 10.96.3.168 with HTTP; Wed, 4 Feb 2015 22:05:40 -0800 (PST)
In-Reply-To: <CAGa2bXZMxxXBOQ=NdbNtzgrjjvdomV8zOr+Z4zASZU4+JHmqyw@mail.gmail.com>
References: <CAGa2bXZMxxXBOQ=NdbNtzgrjjvdomV8zOr+Z4zASZU4+JHmqyw@mail.gmail.com>
Date: Thu, 5 Feb 2015 13:05:40 +0700
Message-ID: <CAEZPtU6xoSgdcyzX_L7pVWBZgOxDJMy5fDfCa3W3myzxc3=4xA@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][DISCUSSION] script() and script_once()
From: pierre.php@gmail.com (Pierre Joye)

hi,

On Thu, Feb 5, 2015 at 8:53 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> Hi all,
>
> I would like to discuss my "must have it in PHP 7" item.
>
> PHP RFC: script() and script_once()
> https://wiki.php.net/rfc/script_and_script_once
>
> I have proposed similar RFC before.
> Optional PHP tags by php.ini and CLI options
> https://wiki.php.net/rfc/nophptags
>
> Compare to older proposal, it does not have issues like
> possible script exposure by accident.
>
> Please keep in mind that this discussion is not for
> "Optional PHP tags by php.ini and CLI options".
>
> Thank you all.


I do not see any appealing reason to add yet another set of include
function/ops, even less for ini settings.

My reasoning is simple. Nothing we can do will prevent one or the
other to shoot himself in each knees, many times.

While trying to protect them to do include $foo where $foo ==
"somereallybadpath", he will pretty much do the same with echo
file_get_contents($foo);

The history of php magic security issues tell me one thing, we should
leave that to the OS level and reports error the IO layers return,
when it fails.

Cheers,
-- 
Pierre

@pierrejoye | http://www.libgd.org