Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83848 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83566 invoked from network); 25 Feb 2015 23:24:31 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Feb 2015 23:24:31 -0000 Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.51 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.213.51 mail-yh0-f51.google.com Received: from [209.85.213.51] ([209.85.213.51:37274] helo=mail-yh0-f51.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4F/2A-34010-EA95EE45 for ; Wed, 25 Feb 2015 18:24:30 -0500 Received: by yhoa41 with SMTP id a41so2717051yho.4 for ; Wed, 25 Feb 2015 15:24:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=m61eArfOaw3Hn4xccae5CV4jYMxyB0XJpnKqzkbfRhQ=; b=nbJsxP3IKiFVisWNdKzMCTQIx9Pd0a3LAx3Slu2C8xJ953Y3H+CR+oa2iNZDUZA3Bl QztoklqS+DT1GyYa927YMYoWE6U60SXwBnUK2tPYLL84UIn9TYF/43wXIZLWIDIryjnK NhGMEo6oLHl/QWzLeY5azyGhMYAR9XrOCqd0mk3t6n+XRRVX64JvYLG8Fk2ytZq0AnXr 8vBpre73sk8G1W+DwufZJsdol3pP/w9iArE1CNZXbCXsqaPJ98Ki0xhs7WhmKXLkcr8B Ki875/+STh7ehIX5ork9+K03loJZFfaI3lj1sUkk/tgyJEDHDn9aCyqRTJOyPx64VLdA VWuQ== MIME-Version: 1.0 X-Received: by 10.170.115.5 with SMTP id h5mr4637664ykb.87.1424906667564; Wed, 25 Feb 2015 15:24:27 -0800 (PST) Received: by 10.170.222.86 with HTTP; Wed, 25 Feb 2015 15:24:27 -0800 (PST) In-Reply-To: <54EE5634.1040300@seld.be> References: <54EE50CF.9090508@gmail.com> <54EE5634.1040300@seld.be> Date: Wed, 25 Feb 2015 23:24:27 +0000 Message-ID: To: Jordi Boggiano Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) Hi Jordi, On 25 February 2015 at 23:09, Jordi Boggiano wrote: > On 25/02/2015 22:46, Stanislav Malyshev wrote: >> >> 2. I think this RFC provides false sense of security for people that >> create vulnerable code and lets them think it's OK to have variable >> includes without adequate safety, since they are "protected" by these >> changes. > > People that are clueless already do not validate anything and are *NOT* > protected by this RFC. People that know what they are doing probably do n= ot > need this patch. So the way I see it it's a win for random crappy code ou= t > there, and a noop at worst for the others. Not so. From a defense in depth perpsective (perhaps the programmer in the next seat is error prone), I'd expect it to be enabled anyway. You lose nothing by using it. >> 3. I think it causes significant BC break which might be warranted in >> case it provides major improvement in security, but IMO in the light of >> the above it does not provide even minor one. > > A way to mitigate this might be to change the default to include a few mo= re > common extensions like phtml, inc, or whatever. As those are all commonly > associated with PHP and offer no good reason to be allowed in user upload= s, > I guess it's safe. No objections here for common extensions well established as being intentionally PHP bearing files. Paddy -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com