Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82062
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 16513 invoked from network); 6 Feb 2015 19:12:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Feb 2015 19:12:40 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.171 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.171 mail-qc0-f171.google.com  
Received: from [209.85.216.171] ([209.85.216.171:45787] helo=mail-qc0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 04/40-45146-72215D45 for <internals@lists.php.net>; Fri, 06 Feb 2015 14:12:39 -0500
Received: by mail-qc0-f171.google.com with SMTP id s11so13537704qcv.2
        for <internals@lists.php.net>; Fri, 06 Feb 2015 11:12:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=y4NJmMVAzc7gfhXcIt49VPKzPiRe49tY3IBEnUfO6M4=;
        b=Eomc1XW86bDWn8OcpjFkUY2O4KMQc4Ke0Nor/TNt9jXmWfMkYa0GXnnO5Awpky+Pu+
         e1sW7M0rTuv8Nrm23v2P+1oBN1xO7psCft7Z2LqtIgFlP4JEM3X6oEHNTAIeBnL4kRVy
         eeSsZFMnFh0veXz3lcjp2ZOZzu2hzDyPwVxgQD9Xf8FnyOOtqe/pUgm59AGbOd8amUF3
         bWffKcbDJM/q19PllQo05Y2DUcZFNL/djlLHEa4v8P5hbP8gMs5fwwN3Jm3sUOs7WQZb
         UWX2AZFrRNcrRlL78v1OGmflJuNySPK4x16pYYYRYURacSLotw3RwLrwJ1S1wnanKY0c
         XuaQ==
X-Received: by 10.140.109.164 with SMTP id l33mr10804172qgf.91.1423249957058;
 Fri, 06 Feb 2015 11:12:37 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.28.72 with HTTP; Fri, 6 Feb 2015 11:11:56 -0800 (PST)
In-Reply-To: <CAGa2bXZVR05OAjO3m17g4Ef23Bu+cS_Cu=UGYezrKfLNdK2heQ@mail.gmail.com>
References: <CAGa2bXYzs=5FVF_OXFj+o=S1uq_7fhfMH7Ent9FHfd-ziV_W5Q@mail.gmail.com>
 <CAPwsocGzVu2s9YMTE3qZGtUaUzOmZc9BPs_cfGwOy0AaONGGLg@mail.gmail.com> <CAGa2bXZVR05OAjO3m17g4Ef23Bu+cS_Cu=UGYezrKfLNdK2heQ@mail.gmail.com>
Date: Sat, 7 Feb 2015 04:11:56 +0900
X-Google-Sender-Auth: -j5dh9PpaD_iznnPTzpUsdsURwA
Message-ID: <CAGa2bXbZtKP7NxnfrTHrhU2ZZcFy3NdZakjC9XeSaNHe9YuJGQ@mail.gmail.com>
To: Leigh <leight@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113a304e1e0090050e703440
Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Introduce scrpt_path
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a113a304e1e0090050e703440
Content-Type: text/plain; charset=UTF-8

Hi Leigh,

On Sat, Feb 7, 2015 at 3:46 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

>
>>
>> I think this is a better solution than script{,_once}. I definitely
>> prefer it over the previous RFC
>
>
> I thought script()/script_once() is enough, but it's not.
> There are modules uses custom script loaders, including phar. Those loader
> may do whatever they want, therefore detecting/deciding file type (i.e.
> PHP script)
> by file content is wrong.
>

If parser state is used, script() solution would work and may remove
script_path.
Then it's possible try to read files as PHP script by require() excluding
upload_path/open_basedir/OS restriction. I think this is acceptable.

Please note that OS solution does not help to prevent PHP from reading
uploaded
script.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a113a304e1e0090050e703440--