Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:81892 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 30310 invoked from network); 5 Feb 2015 10:24:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Feb 2015 10:24:46 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.179 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.216.179 mail-qc0-f179.google.com Received: from [209.85.216.179] ([209.85.216.179:47867] helo=mail-qc0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 14/70-27691-CE443D45 for ; Thu, 05 Feb 2015 05:24:45 -0500 Received: by mail-qc0-f179.google.com with SMTP id w7so5624530qcr.10 for ; Thu, 05 Feb 2015 02:24:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TK049EMzrqtoqrch1ZhGd87B4nTG/kCHDngE32v9htI=; b=RqR3YotmmINRCcXVA3gqOqZ6LqIK5fVKHGNDttGmpEZ5jjErebiEvna3xME53nGQQv FRz0Xin0UlzV1OYOqH6uQS5gbbTvEzn+vtGFCzXXoA/S6ue7tUm07YzTpe5wnIIz16Yd ahnJKbIXrkOc0zIKge4njO0W4SgkeX8D9lNhO6q6tz72u3unJbEiTGE7/KPB+Hpyhzch 2pU2n+PJQLFOAtOwprhl/qoNLVX4krloa15KpVcK3u+WS54PvOYB+qtX1IAWQDhcyVfA tBVGo54texCMBI2Y+mobaFSZwm8ed5WqSt7q59LkKQ2D/yQ4ljJNSGj39zBR9Flz7ibP KsYg== MIME-Version: 1.0 X-Received: by 10.224.28.198 with SMTP id n6mr6507493qac.15.1423131882101; Thu, 05 Feb 2015 02:24:42 -0800 (PST) Received: by 10.96.3.168 with HTTP; Thu, 5 Feb 2015 02:24:41 -0800 (PST) In-Reply-To: References: Date: Thu, 5 Feb 2015 17:24:41 +0700 Message-ID: To: Yasuo Ohgaki Cc: Leigh , Adam Harvey , reeze , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once() From: pierre.php@gmail.com (Pierre Joye) On Thu, Feb 5, 2015 at 5:20 PM, Yasuo Ohgaki wrote: > Hi Leigh, > > On Thu, Feb 5, 2015 at 5:31 PM, Leigh wrote: > >> On 5 February 2015 at 05:37, Adam Harvey wrote: >> > I'm not totally clear on what this RFC is proposing, honestly. Is the >> > new script statement meant to only include files that are entirely >> > wrapped in tags? Are files included that way assumed to >> > be PHP and don't require tags? Something else? >> > >> >> This is my initial reaction to the RFC, it doesn't state the >> _specific_ difference between include/script. I understand what was >> proposed in the nophptags RFC, but I have to make an assumption for >> this RFC. >> >> My assumption is that you want script* to not require > parsing. i.e. including /etc/passwd would be a parse failure. > > > I'm proposing *SCRIPT* only inclusion. This can be done by > > - allowing " - not allowing "?>" anywhere (We may allow at the end possibly) > > Those who do not understand my point. > Please search by "PHP LFI" or "PHP file inclusion" for real life > security issues. I do understand what you try to achieve, from all point of view. However I strongly disagree with this as a security improvement. I see this more as yet another attempt to replace what should be done at the OS level. Cheers, -- Pierre @pierrejoye | http://www.libgd.org