Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83837
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66486 invoked from network); 25 Feb 2015 22:46:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Feb 2015 22:46:45 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.53 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.220.53 mail-pa0-f53.google.com  
Received: from [209.85.220.53] ([209.85.220.53:45157] helo=mail-pa0-f53.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 23/76-34010-4D05EE45 for <internals@lists.php.net>; Wed, 25 Feb 2015 17:46:45 -0500
Received: by pablf10 with SMTP id lf10so8672814pab.12
        for <internals@lists.php.net>; Wed, 25 Feb 2015 14:46:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type:content-transfer-encoding;
        bh=cpp9h4RDLafcr2xTsPpx0XZFR+5ivdkxkV3f1rC9VRM=;
        b=MjCyHCGiDB1DZzRTQ+kXHI53wfk6/1sCJe2DGBxux6nYwzKyK17VIrKdyk9p0oI8Jf
         Gl7NTI6O7Hp8XmU9Wzut3/r4dyCQKlGPQ3nR1ZPu/gqJV/fr1CDeN5FD+M/FlP/GKHQu
         3Nz0b1drlYgLyrE/MZpFBZehkRkHhz0ukXMslG6zBggCSfzRct6JDuwpMV88YnXRAsIg
         YGwE5JyBqHCDKVk1Mq6XMW2zM4u/BXdteePuwwY+BobJZCFw3kGt8ln6aT2/pY3Wu/hf
         4EnR6BEnNmi/dljIQ6jUPFrT3fGHcP+BGh9hnWctxt1akPQAxKH8aVjnjv3O7A+iuVfP
         Xi8g==
X-Received: by 10.70.91.49 with SMTP id cb17mr9464759pdb.35.1424904400521;
        Wed, 25 Feb 2015 14:46:40 -0800 (PST)
Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48])
        by mx.google.com with ESMTPSA id qo4sm28655348pdb.71.2015.02.25.14.46.39
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 25 Feb 2015 14:46:39 -0800 (PST)
Message-ID: <54EE50CF.9090508@gmail.com>
Date: Wed, 25 Feb 2015 14:46:39 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXbt9FAdRtW1GxDyT+G-4bWBACTso_DOizcSHmmgmSVtmA@mail.gmail.com> <CAGa2bXb5QEKOggRbUnmVHuib=P_tJ9_W+QyMa_SCpc7RmSCgSA@mail.gmail.com>
In-Reply-To: <CAGa2bXb5QEKOggRbUnmVHuib=P_tJ9_W+QyMa_SCpc7RmSCgSA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [RFC][VOTE] Introduce script only include/require
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> I saw you voted "no".
> Could you share us the reason behind?

I think I did, in my past messages to the list, but maybe I was not
clear. I will repeat in short:

1. I think this RFC does not provide any security improvement, due to
extreme ease with which the measures in this RFC can be circumvented by
the attacker.

2. I think this RFC provides false sense of security for people that
create vulnerable code and lets them think it's OK to have variable
includes without adequate safety, since they are "protected" by these
changes.

3. I think it causes significant BC break which might be warranted in
case it provides major improvement in security, but IMO in the light of
the above it does not provide even minor one.

This is why I vote no and call everybody to do the same.
-- 
Stas Malyshev
smalyshev@gmail.com