Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:81893 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 33056 invoked from network); 5 Feb 2015 10:47:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Feb 2015 10:47:51 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.42 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.42 mail-qg0-f42.google.com Received: from [209.85.192.42] ([209.85.192.42:52979] helo=mail-qg0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 49/D0-27691-65A43D45 for ; Thu, 05 Feb 2015 05:47:51 -0500 Received: by mail-qg0-f42.google.com with SMTP id q107so5522375qgd.1 for ; Thu, 05 Feb 2015 02:47:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=x6hhHRIWuBsKP/K+WP8gKZksCjA+m2sUz2B1lrpTlNU=; b=zuIhlw/OFR3MRRCiuparY5Lo0mM2pUyfUiqPv/QNl0m1dLs/LFYy43ur2Dd6I4qdZZ t/C34DOY1w2LrTr11qfhem9X2TyGJSnoVrgKNasAfYLIhXTTldFWhNlO040Wbxfm120H 5EnJGyebUx6XvMTOuADZ34BfxZyoRfGQZqn4txdPkI54rGIcNtd0qt+FsOUekLYT/sD+ 8qzD6OtgvsBuZgdY3Q9Ud2yljKlGAdWDL346aDAoRrPX4z0DdANSQifj7A4Z2cybxaVt rRcUNVyXt+KmHXOg3aZUx5yt4RJUTKh+24J32STfPpOtfyaZ2lmeOz3n4jetJnhb5aJL UNgQ== X-Received: by 10.229.192.5 with SMTP id do5mr6972066qcb.12.1423133267687; Thu, 05 Feb 2015 02:47:47 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.28.72 with HTTP; Thu, 5 Feb 2015 02:47:05 -0800 (PST) In-Reply-To: References: Date: Thu, 5 Feb 2015 19:47:05 +0900 X-Google-Sender-Auth: kgMk6pmCxt9xHR7nr_ForhAyCrE Message-ID: To: Pierre Joye Cc: Leigh , Adam Harvey , reeze , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11337bfce37ea2050e55088c Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once() From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11337bfce37ea2050e55088c Content-Type: text/plain; charset=UTF-8 Hi Pierre and all, On Thu, Feb 5, 2015 at 7:24 PM, Pierre Joye wrote: > > > > > > I'm proposing *SCRIPT* only inclusion. This can be done by > > > > - allowing " > - not allowing "?>" anywhere (We may allow at the end possibly) > > > > Those who do not understand my point. > > Please search by "PHP LFI" or "PHP file inclusion" for real life > > security issues. > > I do understand what you try to achieve, from all point of view. > However I strongly disagree with this as a security improvement. I see > this more as yet another attempt to replace what should be done at the > OS level. This is "PHP inclusion" search result. http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=PHP&filter_exploit_text=inclusion&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve= While I understand your opinion and the methodology is good practice indeed, but I cannot ignore the fact that PHP is *MUCH* more vulnerable than other languages. Other languages do not have many security issue like PHP. The reason is simple. PHP enables embedding mode always for script inclusion. Solution is simple also. Provide non embedding mode script inclusion. PHP is made for web and web is priority target of attackers. PHP is better to be safer than now, the same level as other languages at least. I hope there will be a consensus to make PHP safer as other languages. Your proposal requires admins to do the job. It's better to have developer option. Do any of you have other preferred option for developers? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11337bfce37ea2050e55088c--