Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82485
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 50049 invoked from network); 11 Feb 2015 17:44:30 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Feb 2015 17:44:30 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.169 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.169 mail-qc0-f169.google.com  
Received: from [209.85.216.169] ([209.85.216.169:61685] helo=mail-qc0-f169.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C6/11-41131-DF49BD45 for <internals@lists.php.net>; Wed, 11 Feb 2015 12:44:29 -0500
Received: by mail-qc0-f169.google.com with SMTP id m20so4073238qcx.0
        for <internals@lists.php.net>; Wed, 11 Feb 2015 09:44:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=udqa0BrtrUj8Spd/DKnlcyYLFD2nWkQq/eXCPq4dUs4=;
        b=a1iVEnDbyxdu0sV7uch+iPZ13hVEvWDt5ZDT7j4d7gt8sJol85AIrUZMP/t75rVlah
         oqdH8NS8NKEMtNV4p1KDpJAiMBMcFjrEGPeY0pOniui8z9J6bxGfYUeETu3m47mXcM61
         WEdU99KxgB6PeK9bvawzYenvmNnp0IL+OwJCa2uMTFc9bNyybKCGGCwO9Sw/07LjAEbg
         jThH92v5yNhRqk2BnIFklntPBytBtFKd17N+1+pUvQgkpUTATMnaksSUlF7HNDSv75gS
         ZKjbbqpC6Cedfqy43VWW0SHmpvEyMuJo3hzx5CX38lMnx3b4ujPbBVNURhzPGgXmGa3m
         6mxg==
X-Received: by 10.224.38.70 with SMTP id a6mr39035014qae.15.1423676666973;
 Wed, 11 Feb 2015 09:44:26 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.250.195 with HTTP; Wed, 11 Feb 2015 09:43:46 -0800 (PST)
In-Reply-To: <CAGa2bXZsANJz_RvsBvC9yBhac+ukHYUngA=GjLOgcqTTPbpGhg@mail.gmail.com>
References: <CAGa2bXZsANJz_RvsBvC9yBhac+ukHYUngA=GjLOgcqTTPbpGhg@mail.gmail.com>
Date: Thu, 12 Feb 2015 02:43:46 +0900
X-Google-Sender-Auth: w7aNCxxquoiafh_iA0R8CuqsxVs
Message-ID: <CAGa2bXYU-9fk7nRVe3+iBDnE2KjEmzXLJ0zZsqG39iuV0ZgERg@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c2d274029368050ed38ead
Subject: Re: [RFC][DISCUSSION] Script only includes
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c2d274029368050ed38ead
Content-Type: text/plain; charset=UTF-8

Hi all,

On Tue, Feb 10, 2015 at 9:52 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Some of you are tired with this topic, but please take a look the RFC
>
> [RFC] Script only includes - this is 3rd version.
> https://wiki.php.net/rfc/script_only_include
>
> Please let me know what you like or dislike.
>

This proposal has defect.
I was excluding old proposals and it turned out old proposal was better.
Thank you Stas.

There was proposal that limit script execution only for certain filename
extension(s).

Currently, PHP has text script and phar script loader. If we limit script
filenames,
then all users has to do is checking filename extensions.
We have null byte injection protection for filename already.

This would be the simplest and works well against script inclusion.

Comments are appreciated.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c2d274029368050ed38ead--