Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:81891 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28681 invoked from network); 5 Feb 2015 10:21:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Feb 2015 10:21:37 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.44 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.44 mail-qa0-f44.google.com Received: from [209.85.216.44] ([209.85.216.44:53488] helo=mail-qa0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C8/10-27691-F2443D45 for ; Thu, 05 Feb 2015 05:21:36 -0500 Received: by mail-qa0-f44.google.com with SMTP id w8so5157028qac.3 for ; Thu, 05 Feb 2015 02:21:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=rx2yL/yhGi4pV7PkuS/iddW/gs2SnUlG7pXhn29P3kE=; b=Qt+v6T5QzpVLLCuCOFz6U/LxcKcmPEKsf7mK3pONgido0fCKU9dISojNgZeItu3/Nm AG9nY1d2Q17Y2xyIYM+Otu2jSkUdVVX2WhnhOOGSx9UJfTOXEyiCjhWPk1zZzL+mCPte Az+LiUf3KG3uRKi8kaDqAIzgCUy+guTDLloGpYUIfJAtPxQYqUVlhuNuymBDGzT5ScS3 NAuZShNcvUWD/WUT5xiRpOwgSsI5NEqvhuNawbMI5ju/n9/TwU4r9iMJ8azZzp1yEEIj QFPz6lfd5gCg2YmS4M01ZYU3EFx1aLb06yRFSb+vWD31YjdngwPSRnAEtB7+mIrEWd/i HF7g== X-Received: by 10.140.90.112 with SMTP id w103mr6027153qgd.65.1423131693450; Thu, 05 Feb 2015 02:21:33 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.28.72 with HTTP; Thu, 5 Feb 2015 02:20:53 -0800 (PST) In-Reply-To: References: Date: Thu, 5 Feb 2015 19:20:53 +0900 X-Google-Sender-Auth: zV-ORdOHYKi3DUiWem-CDd0BKII Message-ID: To: Leigh Cc: Adam Harvey , reeze , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c11a980e8cfd050e54aba9 Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once() From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c11a980e8cfd050e54aba9 Content-Type: text/plain; charset=UTF-8 Hi Leigh, On Thu, Feb 5, 2015 at 5:31 PM, Leigh wrote: > On 5 February 2015 at 05:37, Adam Harvey wrote: > > I'm not totally clear on what this RFC is proposing, honestly. Is the > > new script statement meant to only include files that are entirely > > wrapped in tags? Are files included that way assumed to > > be PHP and don't require tags? Something else? > > > > This is my initial reaction to the RFC, it doesn't state the > _specific_ difference between include/script. I understand what was > proposed in the nophptags RFC, but I have to make an assumption for > this RFC. > > My assumption is that you want script* to not require parsing. i.e. including /etc/passwd would be a parse failure. I'm proposing *SCRIPT* only inclusion. This can be done by - allowing "" anywhere (We may allow at the end possibly) Those who do not understand my point. Please search by "PHP LFI" or "PHP file inclusion" for real life security issues. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c11a980e8cfd050e54aba9--