Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:81886
Return-Path: <francois@tekwire.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 18676 invoked from network); 5 Feb 2015 09:33:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Feb 2015 09:33:43 -0000
Authentication-Results: pb1.pair.com header.from=francois@tekwire.net; sender-id=softfail
Authentication-Results: pb1.pair.com smtp.mail=francois@tekwire.net; spf=softfail; sender-id=softfail
Received-SPF: softfail (pb1.pair.com: domain tekwire.net does not designate 212.27.42.2 as permitted sender)
X-PHP-List-Original-Sender: francois@tekwire.net
X-Host-Fingerprint: 212.27.42.2 smtp2-g21.free.fr  
Received: from [212.27.42.2] ([212.27.42.2:59281] helo=smtp2-g21.free.fr)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 92/2C-51979-7F833D45 for <internals@lists.php.net>; Thu, 05 Feb 2015 04:33:43 -0500
Received: from moorea (unknown [82.240.16.115])
	by smtp2-g21.free.fr (Postfix) with ESMTP id E975E4B0271;
	Thu,  5 Feb 2015 10:30:21 +0100 (CET)
Reply-To: <francois@tekwire.net>
To: "'Yasuo Ohgaki'" <yohgaki@ohgaki.net>,
	"'reeze'" <reeze@php.net>
Cc: <internals@lists.php.net>
References: <CAGa2bXZMxxXBOQ=NdbNtzgrjjvdomV8zOr+Z4zASZU4+JHmqyw@mail.gmail.com> <CAGa2bXbf=hzbZ9eH6JVnMM0+6OeTQvAoqBe44g8qxFAAr9u9Kw@mail.gmail.com> <CAG1choq8S_EkdS22SFO+443u_LYVB-Z-b2ra6RK8sDhrJKc-VQ@mail.gmail.com> <CAGa2bXbJyK=2GCmGDw7PAh0ib=EL9GO7FFGf0X6VyAWqfR8EAA@mail.gmail.com>
In-Reply-To: <CAGa2bXbJyK=2GCmGDw7PAh0ib=EL9GO7FFGf0X6VyAWqfR8EAA@mail.gmail.com>
Date: Thu, 5 Feb 2015 10:33:34 +0100
Message-ID: <01a601d04126$d0aebe60$720c3b20$@tekwire.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKmZGw6yo6HoqRQQ27xy/nwV3RtpwFBodQxAt67I0gCBzk7aJsEQLfA
Content-Language: fr
X-Antivirus: avast! (VPS 150204-1, 04/02/2015), Outbound message
X-Antivirus-Status: Clean
Subject: RE: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once()
From: francois@tekwire.net (=?utf-8?Q?Fran=C3=A7ois_Laupretre?=)

> De : yohgaki@gmail.com [mailto:yohgaki@gmail.com] De la part de Yasuo =
Ohgaki
> How about alternative way that turn 'require' into non embedded mode =
by INI switch?

A big NO for me, as I am using 'include/require' in a lot of programs to =
include template files containing mixed text/php contents. And I'm =
probably not the only one.

Another reason is, like Adam, that I don't want another INI switch to =
change the interpreter behavior. When releasing a program, documenting =
and debugging ini switch dependencies is a nightmare. Even adding an =
'extension=3D' line is a problem for many final users. So, please don't =
add another ini switch.

I am not opposed to the first option, while I don't really see the =
'extremely severe security breach' brought by authorizing mixed =
text/php-code contents. Do you mean that including a forged path will =
release confidential file contents ? Well, that's right, but chroot =
exists, and I would prefer a way to ensure the forged path is detected =
as such and rejected by the include statement. Something like tainting =
(a good candidate for inclusion in PHP 7, even if it requires more =
work).

Cheers

Fran=C3=A7ois