Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:81896 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37660 invoked from network); 5 Feb 2015 10:57:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Feb 2015 10:57:44 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.41 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.41 mail-qa0-f41.google.com Received: from [209.85.216.41] ([209.85.216.41:38780] helo=mail-qa0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 39/D1-27691-8AC43D45 for ; Thu, 05 Feb 2015 05:57:44 -0500 Received: by mail-qa0-f41.google.com with SMTP id bm13so5268320qab.0 for ; Thu, 05 Feb 2015 02:57:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=HtCOcv9P8qh4NVPFaHEIwQgHsocgNJCJrRPYHsFb6X8=; b=Qq7FUVoIHW1iPlUukFjeDur6dqlqmhUYCXp1u98ermlpzJI4ApWBR9a4/mWCL0G2O0 SG9sumFUylSy5FKucQcR0HFglxMv0djnP3uT5VcvwThzjMRDZRqfjhkJsfdcwVp0lhTT OSYm3yzzZXP0ggSr/5RQB2iQW8buKaw/odojQoP/6KiT1WaGC0vAxls+bNQlRWKpyISj F0/SOAw/KaCqk4/kTQaW2TmnICvjD2dvsFt/UASPOu6Y+Sf3hD+LHWegqcDLbq+2rlEe suBa2vULW62wk4XwwO2l7QzkZp1gPqmsfUb37Cvj5ufdoCUq83lf5tI4BPBdHoGuQMJx ahNg== X-Received: by 10.140.21.229 with SMTP id 92mr6413215qgl.33.1423133857701; Thu, 05 Feb 2015 02:57:37 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.28.72 with HTTP; Thu, 5 Feb 2015 02:56:57 -0800 (PST) In-Reply-To: References: Date: Thu, 5 Feb 2015 19:56:57 +0900 X-Google-Sender-Auth: ym-5HQWfAWLZzN1bjjCCODJomAU Message-ID: To: Leigh Cc: "internals@lists.php.net" , Pierre Joye Content-Type: multipart/alternative; boundary=001a11c12f8c0e9609050e552c06 Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once() From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c12f8c0e9609050e552c06 Content-Type: text/plain; charset=UTF-8 Hi Leigh, On Thu, Feb 5, 2015 at 7:51 PM, Leigh wrote: > On 5 February 2015 at 10:24, Pierre Joye wrote: > > I do understand what you try to achieve, from all point of view. > > However I strongly disagree with this as a security improvement. I see > > this more as yet another attempt to replace what should be done at the > > OS level. > > > > I'm inclined to agree, this is just another mitigation against a > specific vector, not a solution. I'm sure given a little bit of time a > way to bypass it will be found. > > Also introducing this in PHP 7 will not fix all of the currently > broken apps, nor will it get people to start using this method even if > they do upgrade to PHP 7. > > I honestly think this is one of the cases where education is better . I think you probably didn't have chance to read my previous mail. OS protection is not perfect and PHP is still too weak to inclusion attacks... We definitely need more protections. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c12f8c0e9609050e552c06--