Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83845 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 77809 invoked from network); 25 Feb 2015 23:09:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Feb 2015 23:09:46 -0000 Authentication-Results: pb1.pair.com header.from=j.boggiano@seld.be; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=j.boggiano@seld.be; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain seld.be designates 74.125.82.50 as permitted sender) X-PHP-List-Original-Sender: j.boggiano@seld.be X-Host-Fingerprint: 74.125.82.50 mail-wg0-f50.google.com Received: from [74.125.82.50] ([74.125.82.50:43324] helo=mail-wg0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E8/E8-34010-9365EE45 for ; Wed, 25 Feb 2015 18:09:46 -0500 Received: by wggy19 with SMTP id y19so6672893wgg.10 for ; Wed, 25 Feb 2015 15:09:42 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=LNs3yOOJwviEQkP2hgJwPtE6xzK9vIJs8ZVxhYQw73M=; b=j9YsSQb/i0RE6fmp3pY3wJ729aA4fErUNw0nVHqodgz2OqfC/9GLfrBElOz6wi832x FJT21aWBHy7pQQjUjUInTb42/QnKtekSLuC3fpw0b+ZU/hueKS3K5704TCrNSYxohrKw +c87ktTRnuz0JmltzlaoE/aFtTMMKvCOBcxDsaHC+2yMqX5CWolBmDuM+imdNsb1KhES Lsv2kqXhbZRFWVD3sFBO6w7t0NAsqDKgWEfe3Rx4GdqwLeSjq8ll12e/wl7lXhOQMri1 SgnC9/nr0sAF9ZXFG4nm2H6nZZdBEHKGuPuiN4b3pDFo9a/5Jltru+6lBclsWLwEBfFx QIXg== X-Gm-Message-State: ALoCoQk6TyK7kcMlBDDC584jYrlsE/toDI+U0DUEibZtWZ/u2utL32pfUm5m0zfaqAKf225mbDRY X-Received: by 10.194.60.104 with SMTP id g8mr10711903wjr.96.1424905782828; Wed, 25 Feb 2015 15:09:42 -0800 (PST) Received: from [192.168.1.66] (219.254.199.146.dyn.plus.net. [146.199.254.219]) by mx.google.com with ESMTPSA id vq9sm66852479wjc.6.2015.02.25.15.09.41 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Feb 2015 15:09:41 -0800 (PST) Message-ID: <54EE5634.1040300@seld.be> Date: Wed, 25 Feb 2015 23:09:40 +0000 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: internals@lists.php.net References: <54EE50CF.9090508@gmail.com> In-Reply-To: <54EE50CF.9090508@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require From: j.boggiano@seld.be (Jordi Boggiano) On 25/02/2015 22:46, Stanislav Malyshev wrote: > 2. I think this RFC provides false sense of security for people that > create vulnerable code and lets them think it's OK to have variable > includes without adequate safety, since they are "protected" by these > changes. People that are clueless already do not validate anything and are *NOT* protected by this RFC. People that know what they are doing probably do not need this patch. So the way I see it it's a win for random crappy code out there, and a noop at worst for the others. > 3. I think it causes significant BC break which might be warranted in > case it provides major improvement in security, but IMO in the light of > the above it does not provide even minor one. A way to mitigate this might be to change the default to include a few more common extensions like phtml, inc, or whatever. As those are all commonly associated with PHP and offer no good reason to be allowed in user uploads, I guess it's safe. Cheers -- Jordi Boggiano @seldaek - http://nelm.io/jordi