Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82414
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 8471 invoked from network); 11 Feb 2015 04:00:30 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Feb 2015 04:00:30 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.44 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.44 mail-qa0-f44.google.com  
Received: from [209.85.216.44] ([209.85.216.44:59671] helo=mail-qa0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9E/B1-33902-CD3DAD45 for <internals@lists.php.net>; Tue, 10 Feb 2015 23:00:28 -0500
Received: by mail-qa0-f44.google.com with SMTP id n8so925933qaq.3
        for <internals@lists.php.net>; Tue, 10 Feb 2015 20:00:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=vumtpfMEpIdYVvdi2L3Wr7pFHxp2wMfQGVkz4dUFf+E=;
        b=cBIDpaUFgb29fPhkASsiXHjMakQiDKphigfbJFimjoJ/1e7YK5mviwoe77nk7iCzjD
         cWXjKlJ6ilHGEZOlJudxsvFkpXlkYz4pAerkBlF1lbgYX1q6bi2pmZieqEmOp4Ne0MqG
         LZlKvfE1cLsa0epDj4X2b3MeTk5MuBD/51AXAoX68mdhDtfF0O6r5hqIc91YrGwIx2pI
         d+xQhS4y7yw1Fypoc5HDtrQAQq5Qdzl9k0BKA9mY6Bt3/se342qbs5EN/aXI9dC9ZdIB
         CW4hCD0ZA4Yt7ZmLSoM/aCoDfZnTIbHguZc+OpzTBlAOQdEa5JsgjQajQ3H7psfm3uNy
         BxmQ==
X-Received: by 10.224.60.193 with SMTP id q1mr59347326qah.86.1423627225524;
 Tue, 10 Feb 2015 20:00:25 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.250.195 with HTTP; Tue, 10 Feb 2015 19:59:42 -0800 (PST)
In-Reply-To: <CAEZPtU500iTsny5wtSeRFkO2jyk1Y6p9BRwttPpBt38Ebp_cFg@mail.gmail.com>
References: <CAGa2bXZsANJz_RvsBvC9yBhac+ukHYUngA=GjLOgcqTTPbpGhg@mail.gmail.com>
 <CAEZPtU500iTsny5wtSeRFkO2jyk1Y6p9BRwttPpBt38Ebp_cFg@mail.gmail.com>
Date: Wed, 11 Feb 2015 12:59:42 +0900
X-Google-Sender-Auth: _b-gEg_G6uVid0WBhhwTjkkWZyE
Message-ID: <CAGa2bXZmQuon+0yWKmAsp-WDonQWH_MDaUKFG2pEYpdhcJvMpg@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1133dee611f42d050ec80b09
Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Script only includes
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a1133dee611f42d050ec80b09
Content-Type: text/plain; charset=UTF-8

Hi Pierre,

On Tue, Feb 10, 2015 at 6:19 PM, Pierre Joye <pierre.php@gmail.com> wrote:

> On Tue, Feb 10, 2015 at 7:52 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> > Hi all,
> >
> > Some of you are tired with this topic, but please take a look the RFC
> >
> > [RFC] Script only includes - this is 3rd version.
> > https://wiki.php.net/rfc/script_only_include
> >
> > Please let me know what you like or dislike.
>
> I said before but this RFC tries to solve a problem using yet another
> "security" feature in the engine while the OS and the webserver
> provides way better solutions without adding a possible new pandora
> box from a security point of view.  Many extensions may have to deal
> with it too. I can only create an empty for all upcoming CVEs about
> xyz not following script_embed. Alone that tells me that we should not
> try again to make php "more secure" using such features.
>
> I suppose script_embed ini setting is siimilar to open_basedir but for
> exec only, which would prevent any script to be exec'ed (require,
> include, via handlers but works for fopen&co) while open_basedir would
> remain the same (aka also for fopen&co). Now, that does prevent one to
> shoot himself in the foot, eval(file_get_contents());. Yes, this is
> stupid thing to do, just a bit more stupid that require
> "someuploadedfile"; but not much more. Trying to implement security
> measures to prevent people to exec codes from an unknown file is a bad
> idea. They will do it one way or another. And if anyone application
> still do include/require(random/uploaded files), then they surely have
> many other problems to solve but none of them is really a php problem


I think I understood your point of view perfectly and thank you for
your comment. We just have different point of views.

This is the last serious PHP design issue for me.
I've been thinking how it could be resolved for a long time and this is
the best. I hope you agree to remove risks of script inclusions.

Let's be nicer to new PHP users!
Don't let them down by embedded mode include()/require()!

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a1133dee611f42d050ec80b09--