Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83488 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 54797 invoked from network); 22 Feb 2015 21:24:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Feb 2015 21:24:20 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.169 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.169 mail-qc0-f169.google.com Received: from [209.85.216.169] ([209.85.216.169:40631] helo=mail-qc0-f169.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 80/46-18531-3094AE45 for ; Sun, 22 Feb 2015 16:24:19 -0500 Received: by qcwb13 with SMTP id b13so8484381qcw.7 for ; Sun, 22 Feb 2015 13:24:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=XSn1oZOtHJlq3twT8uWlKkQ32HWJeSx4AEC+g21jajc=; b=q/2YWc3/uE55zxiTzRh9F3v2XY9Ue6D79c2OVYb13xLbwiXgD/QH2Gih8ZzlFxOAgt WF7lCFXsPKm1qto3PTz1nFnTmTJdhiSq42CDfVJ8bJW1m8HGlVGFlPoIJQn1CHf7knxN AOik1DbAdeM/ktlsEuQZIAteAMZhpvMBVixLal9+jXwcq7G+LVXqLtxcSR8J6tQEqI06 4EJ7KlCdH95DC1DJgBEn4cH9jn5t8LpVMexwK2pL4quv6EoacN7aDt2EOqPlGq8b6+Vb Be91rV4Pt1i/7M3Z6FvFbN9eR9Z/lb2dUWem4HCqsi/azvz/FQKQlynffsklKK28jCxh d6Cw== X-Received: by 10.140.151.8 with SMTP id 8mr18446030qhx.65.1424640256070; Sun, 22 Feb 2015 13:24:16 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.198.8 with HTTP; Sun, 22 Feb 2015 13:23:35 -0800 (PST) Date: Mon, 23 Feb 2015 06:23:35 +0900 X-Google-Sender-Auth: KDmXDm21ByF5k9NMpWPjVRiBo0A Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11353862655b70050fb3e8a3 Subject: [RFC] Script only include/require From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11353862655b70050fb3e8a3 Content-Type: text/plain; charset=UTF-8 Hi all, I wrote patch and made adjustment in the RFC https://wiki.php.net/rfc/script_only_include https://github.com/php/php-src/pull/1111 Where to check filename extension is subject to be changed. At first, I thought implementing this as PHP code is good, but I've changed my mind. It seems better to be done in Zend code. Opinions are appreciated. This RFC aims to make PHP as secure as other languages with respect to "script inclusion" attacks. Note: File inclusion is not a scope of this RFC. INI Changes: - "php_script" -> "zend.script_extensions" - "Allow all files": "*" -> NULL or "" Open Issues: - Error type - Is it OK to raise E_ERROR/E_RECOVERABLE_ERROR in zend_language_scanner.c? - Vote type - 50%+1 or 2/3 If there is anyone who would like to vote "no" for this RFC, I would like to know the reason and try to address/resolve issue you have. Thank you. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11353862655b70050fb3e8a3--