Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83538 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 46572 invoked from network); 23 Feb 2015 03:56:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Feb 2015 03:56:29 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.48 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.48 mail-qa0-f48.google.com Received: from [209.85.216.48] ([209.85.216.48:42699] helo=mail-qa0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9F/E8-33016-BE4AAE45 for ; Sun, 22 Feb 2015 22:56:28 -0500 Received: by mail-qa0-f48.google.com with SMTP id dc16so20455527qab.7 for ; Sun, 22 Feb 2015 19:56:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=PFSznaBrV5Ntdih40fSMObnR0RNq7wZtF+L98uSe8tg=; b=wnAKsqx4PXuPRiXCWVkNh3pK8cgs7RTaNvgagJKzAlXj5qyzJ8uyVXeLqJdrFuoxm6 stNrvoF3ylmr4fnMhM2+g7HaHKCws6GHo9WoiBZNg3OhJNGqtDuCNE06iKebU/oIvO3z qNU6CpwpFoPgPRoVfBZg4OdVEAEFDUv1F3/2+CM/0UuWDB2lE9TfGds5o6vtQ2C0D38/ yn12vcWQW7/JDQHRZasbFjnuTEO86Zr8QXTapvwOik0YmxxBMhsLOm77EBOORRFOTRIm dS8hpwdNIRKr5GugUcENOJIkz75gm+beWk6DgifRGjoV5HXcb7jgHZqxOYYRV0lduACo tBvA== X-Received: by 10.140.28.97 with SMTP id 88mr20330225qgy.6.1424663784149; Sun, 22 Feb 2015 19:56:24 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.198.8 with HTTP; Sun, 22 Feb 2015 19:55:43 -0800 (PST) In-Reply-To: References: Date: Mon, 23 Feb 2015 12:55:43 +0900 X-Google-Sender-Auth: 8MI0H0A7CM_OqJJU1j1n0Uhh4eI Message-ID: To: "internals@lists.php.net" , Dmitry Stogov , Nikita Popov Content-Type: multipart/alternative; boundary=001a113a7ceac75b82050fb962f9 Subject: Re: [RFC] Script only include/require From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a113a7ceac75b82050fb962f9 Content-Type: text/plain; charset=UTF-8 Hi Dmitry and Nikita, On Mon, Feb 23, 2015 at 6:23 AM, Yasuo Ohgaki wrote: > I wrote patch and made adjustment in the RFC > https://wiki.php.net/rfc/script_only_include > https://github.com/php/php-src/pull/1111 > Where to check filename extension is subject to be changed. > At first, I thought implementing this as PHP code is good, but > I've changed my mind. It seems better to be done in Zend code. > Opinions are appreciated. > > This RFC aims to make PHP as secure as other languages > with respect to "script inclusion" attacks. > Note: File inclusion is not a scope of this RFC. > > INI Changes: > - "php_script" -> "zend.script_extensions" > - "Allow all files": "*" -> NULL or "" > > Open Issues: > - Error type - Is it OK to raise E_ERROR/E_RECOVERABLE_ERROR in > zend_language_scanner.c? > - Vote type - 50%+1 or 2/3 > > If there is anyone who would like to vote "no" for this RFC, > I would like to know the reason and try to address/resolve issue you have. > > Thank you. > We don't have care much about which error is raised from Zend engine, since there will be engine exception. My questions are, is it ok to raise E_ERROR or E_RECOVERABLE_ERROR from zend_language_scanner.c? https://github.com/php/php-src/pull/1111/files#diff-93ad74868f98ff7232ebea00007c8b7fR624 Does engine exception catches error from zend_error_noreturn()? Thank you. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a113a7ceac75b82050fb962f9--