Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83648
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 51038 invoked from network); 24 Feb 2015 10:21:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Feb 2015 10:21:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.181 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.181 mail-qc0-f181.google.com  
Received: from [209.85.216.181] ([209.85.216.181:35130] helo=mail-qc0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C4/32-37184-5905CE45 for <internals@lists.php.net>; Tue, 24 Feb 2015 05:21:10 -0500
Received: by qcyl6 with SMTP id l6so15712175qcy.2
        for <internals@lists.php.net>; Tue, 24 Feb 2015 02:21:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=P27+i9fQNoX204lh2fVLH15qNj8v0E8/zgnHZSWjzJs=;
        b=KK34dgIFNvfdISz3C1S+nnvTOnsm9MM+iOoGBvghiLtvYptq2HAdSosOxAZT2XgrP1
         1QPLQ6byn+Ly0a3lMPnYRQ/hHX/LsiDn2aA/nNdy5KBknfrDK0AfrvXdPDQWLlYKQY21
         tj9XLD5BoWmOy/KBgWzrEAPerL6PPRlaooXWSxtHKP1bPDhR8mhxO+WiQD4VLrKUlDe1
         5qxbeUvfM4WL9QjS+R9HR5UpfhobAcIP1rXy4Gjht/QB1JKIcku5FFSCfFdS93LARpxz
         p3SnFUTPfBDo1fv4uQj5/V7rQk+VQ/NC7/Sxk67zScNTdE12X8DLum2Gz4/Xn1WzSuFW
         UVKA==
X-Received: by 10.140.89.111 with SMTP id u102mr33148085qgd.20.1424773267381;
 Tue, 24 Feb 2015 02:21:07 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Tue, 24 Feb 2015 02:20:27 -0800 (PST)
In-Reply-To: <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com>
 <CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com> <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
Date: Tue, 24 Feb 2015 19:20:27 +0900
X-Google-Sender-Auth: cwnE_7XCcUB-m5gVpMmnCXfPGuQ
Message-ID: <CAGa2bXZiiT-6GLkx2d+EE1jp2BjXpEB3pgmKYLedFRgoyR=XUQ@mail.gmail.com>
To: Dmitry Stogov <dmitry@zend.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>, Nikita Popov <nikitappv@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c13abe7ce304050fd2e069
Subject: Re: [RFC] Script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c13abe7ce304050fd2e069
Content-Type: text/plain; charset=UTF-8

Hi Dmitry,

On Tue, Feb 24, 2015 at 4:00 PM, Dmitry Stogov <dmitry@zend.com> wrote:

> Use E_ERROR.
>
>
>>
>>
>> https://github.com/php/php-src/pull/1111/files#diff-93ad74868f98ff7232ebea00007c8b7fR624
>>
>> Does engine exception catches error from zend_error_noreturn()?
>>
>
> no. it'll be changed into zend_error().
>

Thank you for the comment.

I'm not a security expert, but I think that adding check for script
> extension won't add significant level of protection.
>

I agree. For developers who have more than average skills, this RFC
would not be helpful. File inclusions by readfile()/etc are fatal as well
also. Users must be careful anyway.

My objective is to reduce risk of server takeover by script inclusions
as low as other languages and being nice to new developers. I've audited
number of web applications written by various languages, there aren't much
difference in programmers' skills. My samples are too few and do not
represent actual figures, but we'll have less vulnerable PHP apps by this.
IMHO.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c13abe7ce304050fd2e069--