Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:82127 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38018 invoked from network); 8 Feb 2015 09:03:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Feb 2015 09:03:51 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.50 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.50 mail-qa0-f50.google.com Received: from [209.85.216.50] ([209.85.216.50:62051] helo=mail-qa0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BD/E1-24707-67627D45 for ; Sun, 08 Feb 2015 04:03:51 -0500 Received: by mail-qa0-f50.google.com with SMTP id k15so17067358qaq.9 for ; Sun, 08 Feb 2015 01:03:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=lQLipKRPLGb3R9nnX1XpIQDGTL4IlvhU+TCmKSFFFmY=; b=FZaoLxfXuzJ6puap9A+5n99sZXBLyzJzTlle7/AJPTM4nelqMIVR1+HxKwHlw7UHz3 cTxQES9wU+PNqd/DgAEqyqwfD6Pp/MBd34GvquN6JlxWNQ4ZFdAsgYl8N+Wirk8k31Hk +tdiy0bGM29V22cl5rMYkSJncxFh03mYx1DDt4Fev/UDc7wk/2NjJsP5+V+i0Usudg6p MJMmgqkOvrF4fFKVGqJoVtbKvkbGBEJkPkru4QGeL8xZpyXDTzP8mqwfzGHCcDxJ2wBg HS88+/nJ+0P/KuCDI1sp4BjHMhVCUIEbjutRFVl/eIMfS+mgd/8apsb+6Up1IOsoo0/d rrxw== X-Received: by 10.224.22.72 with SMTP id m8mr15466121qab.66.1423386227737; Sun, 08 Feb 2015 01:03:47 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.28.72 with HTTP; Sun, 8 Feb 2015 01:03:06 -0800 (PST) In-Reply-To: References: Date: Sun, 8 Feb 2015 18:03:06 +0900 X-Google-Sender-Auth: VtZ0XEebr0imoF4JT4HsRi5lmc4 Message-ID: To: Matthew Leverton Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0160c7107b88e5050e8fee6d Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Introduce scrpt_path From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0160c7107b88e5050e8fee6d Content-Type: text/plain; charset=UTF-8 Hi Matthew, On Sat, Feb 7, 2015 at 5:29 AM, Matthew Leverton wrote: > On Fri, Feb 6, 2015 at 1:02 PM, Yasuo Ohgaki wrote: > > > > Basically, it's administrative solution. Application should set these > > setting > > or administrator should. > > > > Library shouldn't touch the setting, otherwise they hit their own foot. > > > If this was a PHP_INI_PERDIR setting, then I wouldn't really mind as much. > > But as PHP_INI_USER, I don't like it at all. How about allow to set the ini only once during execution? To all, please give some feedback. There is option 5(Leave as it is), too! I would like to know your preference. Multiple choices are OK ( +1 / -1 ) Comments are appreciated. 1. script_path INI. (Defines script path. Almost perfect solution with upload_path INI) [1] 2. upload_path INI. (Exception path in script_path. Protection against require('../../upload/evil');) [1] 3. require_embed INI (Enable/disable require()/require_once() embed(script only) mode. Temp INI) [2] 4. script()/script_once() [3] (No INI switch. Read only scripts. The same as require()/require_once(), require_embed=On ) 5. Leave as it is now (No protection against file inclusion & execution attacks.) [1] script_path defines script directory, upload_path defines exceptions under script_path. [2] require_embed is not described in current RFC. It's INI for enable/disable script only mode. require_embed should be REMOVED few years later. [3] script/script_once is not described in current RFC. It read/execute script only file. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0160c7107b88e5050e8fee6d--