Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83858
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 4585 invoked from network); 26 Feb 2015 00:40:33 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Feb 2015 00:40:33 -0000
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.49 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.213.49 mail-yh0-f49.google.com  
Received: from [209.85.213.49] ([209.85.213.49:41186] helo=mail-yh0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 35/31-32243-F7B6EE45 for <internals@lists.php.net>; Wed, 25 Feb 2015 19:40:31 -0500
Received: by yhaf10 with SMTP id f10so2864932yha.8
        for <internals@lists.php.net>; Wed, 25 Feb 2015 16:40:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=7GFxx5gIXfWu8JFopIL2aofQP2Hc0plrRQNBgnZFpQ0=;
        b=i8fLMrZhOl4oIKNV2IVvH8p56kmghv4Z+GAo9Hc6JqXi9FayWUxUQ8cYuXyThPEJZX
         Ci6cZlXy92JUnNN+uL9ednyaYIPQFqB+4NcdGOlYtjWSqV/GYt995QaabfOTdz4CsT98
         B/UKQcMDfX6iYRGNBd4USJF073peoO6AfkVe7Ue254AsfesMZ8n8WAJH+ISBL/tVpJoN
         bhjXo56xiGpSK1MnhrY2+7SLSaG1//B30Hq8Ey9KVCvnY8+c2JVyqfzfFuSh9Kwambji
         nAX4MsPFSnZJTKU03wv9Rj1bc4H6ai8KWqKpYYebX89DrZbI8rGhXkrCybMaV6E1kVIN
         xapQ==
MIME-Version: 1.0
X-Received: by 10.236.105.226 with SMTP id k62mr5568862yhg.175.1424911228364;
 Wed, 25 Feb 2015 16:40:28 -0800 (PST)
Received: by 10.170.222.86 with HTTP; Wed, 25 Feb 2015 16:40:28 -0800 (PST)
In-Reply-To: <54EE5A39.9040401@gmail.com>
References: <CAGa2bXbt9FAdRtW1GxDyT+G-4bWBACTso_DOizcSHmmgmSVtmA@mail.gmail.com>
	<CAGa2bXb5QEKOggRbUnmVHuib=P_tJ9_W+QyMa_SCpc7RmSCgSA@mail.gmail.com>
	<54EE50CF.9090508@gmail.com>
	<CALwr1GmoAxfbKvJYVLeL3wPXEKKbu1jKGkTFcG0KQ_Ogx172sA@mail.gmail.com>
	<54EE5A39.9040401@gmail.com>
Date: Thu, 26 Feb 2015 00:40:28 +0000
Message-ID: <CALwr1Gk6OOMTRkmgxwqdd_cVDAQQRUkA5fqvLxOf4i2VOZxSig@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require
From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=)

Stanislav,

On 25 February 2015 at 23:26, Stanislav Malyshev <smalyshev@gmail.com> wrot=
e:
> else I can say, provided that what I already said - including
> demonstrating trivial workarounds that allow to circumvent this feature
> with extreme ease - had no effect.

You keep bringing that up. I keep having to correct you that the RFC
does not target your specific example (it's a simple file extension
filter). Then, you bring it up again...continuing to ignore the
examples provided where it could assist in preventing the whole jpeg
EXIF mess in the wild.

Nobody is ignoring your example of an unvalidated PHAR upload. It has
been responded to more than once. The RFC will not prevent
this....because it was never designed to prevent it. It's not even on
its radar screen to meddle with phars.

>> Is there some sort of meter on Internals where, in the red, there is
>> an obligation to fill it back up with FUD, logical fallacies and the
>> occasional fib?
>
> I also would really like for you to stop accusing me of lying. I may be
> mistaken, and I am sure I have been many times, but everything I write
> here is a product of careful consideration and thought, and aimed at
> making PHP better. The next instance you do this, I'm not going to
> reply, I'm just going to delete all following communications from you,
> from that point, forever. I can handle very spirited technical
> disagreement, I'm not new on the internet, but I do not see what use
> would be for me to spend my time on being insulted. There are a lot of
> more productive uses of my time. If there's no mutual respect here, then
> the chance of productive cooperation is nil. I hope we can hold
> respectful discussion, even when disagreeing. But if not, then I won't
> participate in any other kind.

I am more than happy to cooperate and discuss any topic. However, this
goes both ways. If you insist on repeating the same point, after it
has been addressed, over and over again, then cooperation is going to
suffer. Yasuo has demonstrated that the change will prevent a specific
vulnerability in the wild. I would ask you to consider that example,
and then raise any concern you wish as it pertains to that relevant
example which captures the purpose of this RFC very neatly. To say
that there is no benefit is simply not true.

Paddy

--
P=C3=A1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com