Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83758
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84602 invoked from network); 25 Feb 2015 10:07:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Feb 2015 10:07:49 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.45 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.45 mail-qa0-f45.google.com  
Received: from [209.85.216.45] ([209.85.216.45:61418] helo=mail-qa0-f45.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2E/94-62407-4FE9DE45 for <internals@lists.php.net>; Wed, 25 Feb 2015 05:07:49 -0500
Received: by mail-qa0-f45.google.com with SMTP id j7so1946250qaq.4
        for <internals@lists.php.net>; Wed, 25 Feb 2015 02:07:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=yLJ0yOhpm8M+yesNVAQt0TKJO5yULiwUrI5c3B6uEGI=;
        b=jxD426fmjNnDRECj88JNesE9txPAcXBokXxiJMDlLpjKhFGBzTG1gJ/nFX6zjmoTEm
         w7ZVpTdnwWxVG4BSMYGqL1OH1GYFZIB5PfzNWOl7ntQxmmeByYb5AJMQWNjoCWPHuu7u
         Df0Cta8FGL4JKA3WTYzoK9oc7gZ6X7Hc3kNjGYNAE9jEUbKR1Bv6BKOqDhNI7m3S/zfG
         rzQtzSEa21hvJx/Q06TDCmDL9AR2Kd1ZqCfeZqiYd/swxfm7Wdc4+8WZHr5XTZXCp42v
         wCaTctygn/SZafwzslAjQCakCtoLr1ecPtrR+dXffSdE8t8OOpKVMPLs5HQ2IaNLGpux
         dBaw==
X-Received: by 10.140.201.8 with SMTP id w8mr5312092qha.51.1424858865962; Wed,
 25 Feb 2015 02:07:45 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Wed, 25 Feb 2015 02:07:05 -0800 (PST)
In-Reply-To: <54ED9B5F.60006@lsces.co.uk>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com>
 <CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com>
 <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
 <CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com>
 <54ECD4E3.9040705@gmail.com> <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com>
 <54ECF605.7030506@gmail.com> <CALwr1GkU_mumpp-34Pp=gKwZzL3KVEW7JpEnqC5MMtcgM_qEbA@mail.gmail.com>
 <CA+kxMuT-jQaT9xyk9dmONdpTz-h0LfWcvu_-caibjvu3XmQuTw@mail.gmail.com>
 <54ED8E9F.80803@lsces.co.uk> <CAGa2bXYMPE7jP3=U7Frp+D9eC_Q-CQxo6Tkh3EDrJHQk5V-aRw@mail.gmail.com>
 <54ED9B5F.60006@lsces.co.uk>
Date: Wed, 25 Feb 2015 19:07:05 +0900
X-Google-Sender-Auth: mqsLOckiH2LhMGJv3ugSr15AlAs
Message-ID: <CAGa2bXYUNWWCYqw8fqtRFn=zWn8SZF9gFPUCcLvsQ6aXHew1CQ@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a114322388f9491050fe6ceed
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a114322388f9491050fe6ceed
Content-Type: text/plain; charset=UTF-8

Hi Lester,

On Wed, Feb 25, 2015 at 6:52 PM, Lester Caine <lester@lsces.co.uk> wrote:

> Totally understand what you are trying to do, and if the users you are
> trying to protect actually downloaded PHP direct from the PHP site it
> may stand a chance of actually doing that, but it's adding restrictions
> that WILL break other distributions so either they have to re-work what
> they do, or switch it off anyway. The people you are trying to protect
> are going to be downloading a distribution that may well be using
> 'obvious mistakes' such as .inc or .php5 in addition to .php
>
> There have been attempts in the past to make 'script only' files and and
> these same sort of restrictions, but the fallout did prove more of a
> problem. Example ... one of the legacy sites I just had to move stopped
> doing any of the navigation stuff and would not send a contact email.
> Was working fine previously ... but when I actually started looking at
> the code strangely the pages were all .html ... yep ... a complex site
> with lots of content which had originally been hand coded and at some
> point a few little bits of php had been added in. My nginx setup had
> disabled processing .html pages so broken site. I don't want to rename
> all of the files to .php ... I don't need to ... so I've created a
> php-fpm for .html only and we are working again. Only a few hours wasted
> but the sort of thing we have to be able to cope with!
>

I understand people do all kinds of things.
Therefore, I'm allowing

ini_set('zend.script_extension', ''); // Disable protections at all.

It's users choice if they use systematically secure configuration or not.
However, providing systematically secure method/configuration is our
responsibility. IMHO.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a114322388f9491050fe6ceed--