Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:82510 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11298 invoked from network); 12 Feb 2015 02:26:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Feb 2015 02:26:03 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.171 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.214.171 mail-ob0-f171.google.com Received: from [209.85.214.171] ([209.85.214.171:51368] helo=mail-ob0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 83/97-02515-93F0CD45 for ; Wed, 11 Feb 2015 21:26:02 -0500 Received: by mail-ob0-f171.google.com with SMTP id gq1so7339881obb.2 for ; Wed, 11 Feb 2015 18:25:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=1VIL9vak7/yZt6wlE8p5mB2avbbRnAEOqYePb/IP7U8=; b=V9gM6b/5aEeqQsYTpJ3KORx24zO+7Wcv5a2NavwO5rtexVrf+TJ15wzkbCleRbn1jw ccH3tXCCu5MXorNI7TtS7frkyIz5uy1vktI+JHtlClghB8Aev+VmXkDcW+I5WcMkhx2K 3PQMTKLBq8dMLYcqMN8GkLpQgXyw3hgVaeBgCdBBQrj4mu/ch9/gcz9gR+MJBQINypxT gyJoV1c1sdfXW8GkbnQd3pLvmDF2G9dgtmg7pV8nxujzXTv6Lx4dTiVt2PCWDj21NZaG 8UqA1dLwdOQSdX4GIBK5m90qxyFs+cisVBVr7Nui8YswHLbJkaHFvhXLVkYEaduzM1j+ /nrg== X-Received: by 10.182.126.74 with SMTP id mw10mr1096527obb.57.1423707959290; Wed, 11 Feb 2015 18:25:59 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.202.229.9 with HTTP; Wed, 11 Feb 2015 18:25:19 -0800 (PST) In-Reply-To: <54DB9DA4.2030709@gmail.com> References: <54DB0575.8020506@gmail.com> <54DB9DA4.2030709@gmail.com> Date: Thu, 12 Feb 2015 11:25:19 +0900 X-Google-Sender-Auth: d12MiXmQS6qfTH0nKrav0Z2x3y8 Message-ID: To: Stanislav Malyshev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=e89a8fb1f4a82d72c8050edad72a Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Script only includes From: yohgaki@ohgaki.net (Yasuo Ohgaki) --e89a8fb1f4a82d72c8050edad72a Content-Type: text/plain; charset=UTF-8 Hi Stas, On Thu, Feb 12, 2015 at 3:21 AM, Stanislav Malyshev wrote: > > I'm not trying to be perfect, but I would like to make PHP as secure as > > other > > languages from script inclusion attacks. It's too easy currently... > > PHP is already as secure as the other languages. If you have code in > Python that loads arbitrary file and executes it, you could upload > Python file and execute it. If you have code in Ruby that loads > arbitrary file and executes it, you could upload Ruby file and execute > it. If you have code in C that... you get the idea. Same with PHP. Python loads script like import foo where foo is foo.py. Ruby loads script like require 'foo' where foo is foo.rb. This is the origin of the difference. We may have something like this. We may check registered filename extension(s) or may allow to omit registered extension(s). We may take some benchmarks and decide, since these 2 are the same basically. Faster is better, but I guess "checking" is faster. What do you think? Comments are appreciated. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --e89a8fb1f4a82d72c8050edad72a--