Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:81895
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36111 invoked from network); 5 Feb 2015 10:52:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Feb 2015 10:52:47 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.175 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.175 mail-qc0-f175.google.com  
Received: from [209.85.216.175] ([209.85.216.175:36059] helo=mail-qc0-f175.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 43/81-27691-E7B43D45 for <internals@lists.php.net>; Thu, 05 Feb 2015 05:52:46 -0500
Received: by mail-qc0-f175.google.com with SMTP id c9so5720882qcz.6
        for <internals@lists.php.net>; Thu, 05 Feb 2015 02:52:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=0lNp6Aw4lNXoCQqoEVIbgrBnQsSGSWWP16tzRwKLjNw=;
        b=b5DCETjh4RY+PjPzbZrrgcuAfS78GhqR+C458c6YVsiLM4QogAZYZf+rlCG5VfLyUb
         fvoMZeCln0XllSFpDK0JqP0XbfWNa0olc+N/uUoBZeitxcx+vhH3C29c2rLxFes4A5jc
         Vac7cu+0B/E3ENeM0CnV6lrhIfdTh+7gbVOdVVBX5LNmsZl0lbr6WCQjjUVlI3yYriY8
         xTsVjkfW0JXAJroMGclXjxpIFkz0qdrgwcM8t5+GDgK1HEsTfeh7KYckmUsebIgwK0Gv
         K1HxS1PUzcmJ5L8slDVd4onehB2dGA5AyGYouAzUghB6kTgz9PGC5DAruamCOuopyfJM
         skkw==
X-Received: by 10.224.28.198 with SMTP id n6mr6708906qac.15.1423133564281;
 Thu, 05 Feb 2015 02:52:44 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.28.72 with HTTP; Thu, 5 Feb 2015 02:52:04 -0800 (PST)
In-Reply-To: <CAEZPtU5=vJG6=cguZfcT6RBriu8GT9vfW=Lqva8-XfEnXzZ23Q@mail.gmail.com>
References: <CAGa2bXZMxxXBOQ=NdbNtzgrjjvdomV8zOr+Z4zASZU4+JHmqyw@mail.gmail.com>
 <CAGa2bXbf=hzbZ9eH6JVnMM0+6OeTQvAoqBe44g8qxFAAr9u9Kw@mail.gmail.com>
 <CAG1choq8S_EkdS22SFO+443u_LYVB-Z-b2ra6RK8sDhrJKc-VQ@mail.gmail.com>
 <CAGa2bXbJyK=2GCmGDw7PAh0ib=EL9GO7FFGf0X6VyAWqfR8EAA@mail.gmail.com>
 <CADajX4CHHdSpUfLfjhwrtdzmJfg9di4FpfeVEzBG4P7K7B+e0w@mail.gmail.com>
 <CAPwsocGh_-SYiWceEg=5go8G1bUs+CWUBb9uv_2Oh7AZhBxd8A@mail.gmail.com>
 <CAGa2bXY36wVN50sQ=MTYi+X6664+NYqMhsYFVZ9jeFZ1DXBg9Q@mail.gmail.com> <CAEZPtU5=vJG6=cguZfcT6RBriu8GT9vfW=Lqva8-XfEnXzZ23Q@mail.gmail.com>
Date: Thu, 5 Feb 2015 19:52:04 +0900
X-Google-Sender-Auth: 01djdtmhWUTXuyPeKUYoVS5qVMg
Message-ID: <CAGa2bXba0MAHWR+-un1YkHazoo45-nnLgv1ayhuUFTkf3nSU1Q@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: Leigh <leight@gmail.com>, Adam Harvey <aharvey@php.net>, reeze <reeze@php.net>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c2cc9a912878050e551a93
Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c2cc9a912878050e551a93
Content-Type: text/plain; charset=UTF-8

Hi Pierre,

On Thu, Feb 5, 2015 at 7:24 PM, Pierre Joye <pierre.php@gmail.com> wrote:

> I do understand what you try to achieve, from all point of view.
> However I strongly disagree with this as a security improvement. I see
> this more as yet another attempt to replace what should be done at the
> OS level.
>

I should have mentioned that OS level protection cannot be perfect neither.
For example, if app allow uploading image files, OS must allow access to
image files.

SInce PHP includes script with embedded mode, attacker can easily embed
attack script in image files....

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c2cc9a912878050e551a93--