Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82486
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54802 invoked from network); 11 Feb 2015 18:21:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Feb 2015 18:21:31 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.52 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.220.52 mail-pa0-f52.google.com  
Received: from [209.85.220.52] ([209.85.220.52:43259] helo=mail-pa0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 81/70-51722-AAD9BD45 for <internals@lists.php.net>; Wed, 11 Feb 2015 13:21:31 -0500
Received: by mail-pa0-f52.google.com with SMTP id ey11so5581274pad.11
        for <internals@lists.php.net>; Wed, 11 Feb 2015 10:21:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=VpueCc6+K2kCUCz/ckypKHnqz5D7l/XbZ3d/d2k9PPM=;
        b=D59SRsnLJ2iQQMBx+SZDVAqeK9DZ3mMrLlHIZGtytr3sCUnDH816WfjtLnZ9zsllTL
         mEYBMuQDmGMeWEsZ5dWmbo6TPCtOd2+aNisYq/7Eex8Eqq/BsLZN44GRYyKENr8roeWC
         QUtUFARceecl6EAZWDjh96784Yjax4/xSBG+JYQ3Dy4n6/Fr3JN3Zm5J2Sy1UUiklojm
         iOIznfDBpgyntkh7uyKPKWgIaBxEdT5Sf/gILI6C47VWvr9hak4Q75aXphNU4WiGxM4A
         ukz4LmrzCK6kdoKzJPMnNM0bYtxkxwcmQQcgyFC6RBqB7q2uYtfq0kkchUXGvdLTfGTU
         iY3A==
X-Received: by 10.66.132.38 with SMTP id or6mr9268904pab.103.1423678887533;
        Wed, 11 Feb 2015 10:21:27 -0800 (PST)
Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48])
        by mx.google.com with ESMTPSA id go1sm1489795pbd.75.2015.02.11.10.21.26
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 11 Feb 2015 10:21:26 -0800 (PST)
Message-ID: <54DB9DA4.2030709@gmail.com>
Date: Wed, 11 Feb 2015 10:21:24 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXZsANJz_RvsBvC9yBhac+ukHYUngA=GjLOgcqTTPbpGhg@mail.gmail.com> <54DB0575.8020506@gmail.com> <CAGa2bXY1XQa3JbQG1EK2aXtHN_7QL64WPJQhBWn5=ZCVYrX5Hw@mail.gmail.com>
In-Reply-To: <CAGa2bXY1XQa3JbQG1EK2aXtHN_7QL64WPJQhBWn5=ZCVYrX5Hw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Script only includes
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> I'm not trying to be perfect, but I would like to make PHP as secure as
> other
> languages from script inclusion attacks. It's too easy currently...

PHP is already as secure as the other languages. If you have code in
Python that loads arbitrary file and executes it, you could upload
Python file and execute it. If you have code in Ruby that loads
arbitrary file and executes it, you could upload Ruby file and execute
it. If you have code in C that... you get the idea. Same with PHP.

-- 
Stas Malyshev
smalyshev@gmail.com