Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83863 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 17143 invoked from network); 26 Feb 2015 01:51:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Feb 2015 01:51:52 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.45 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.216.45 mail-qa0-f45.google.com Received: from [209.85.216.45] ([209.85.216.45:33117] helo=mail-qa0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 05/A3-32243-73C7EE45 for ; Wed, 25 Feb 2015 20:51:51 -0500 Received: by mail-qa0-f45.google.com with SMTP id j7so5732723qaq.4 for ; Wed, 25 Feb 2015 17:51:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=pq2qIGc9pruJ2gYbh9IlskGglkoSq+hgKYg83LiXL/8=; b=uV2374uZ612EouRj16ZPtnfZUi0814BMtUasezVGPS67r86QqqJKVgxAhRtroopVTi VJA5AWUbDHLzpnPYplyPQl9ZyvJsNterXqLAmwmuwVUG3MV3t5jZRU3YX9nv9kR5KBBa OntTpNwhViWvnWj+SXR4xeNpLK4bOczugRwEkmAK2aqmIpEoEI31oX9nPSeMQZo0SLzh aCaRXQkZgW6qj9nn5t6ef76jdZjVkoJs/AGHVG4Y258OYuMruzu5NTlrTxzQyhFEQvpS yAIYFe7+Myq1b/XXhf/E1Q3r1Cru36MUZZ7/+l5ntryn/Ocx8d7R1x3rP5QT80KFu+Ef 4mGw== MIME-Version: 1.0 X-Received: by 10.140.133.69 with SMTP id 66mr13593262qhf.17.1424915508990; Wed, 25 Feb 2015 17:51:48 -0800 (PST) Received: by 10.96.39.195 with HTTP; Wed, 25 Feb 2015 17:51:48 -0800 (PST) In-Reply-To: References: <54EE50CF.9090508@gmail.com> <54EE5A39.9040401@gmail.com> Date: Wed, 25 Feb 2015 17:51:48 -0800 Message-ID: To: =?UTF-8?Q?P=C3=A1draic_Brady?= Cc: Stanislav Malyshev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require From: pierre.php@gmail.com (Pierre Joye) On Wed, Feb 25, 2015 at 4:40 PM, P=C3=A1draic Brady wrote: > Stanislav, > > On 25 February 2015 at 23:26, Stanislav Malyshev wr= ote: >> else I can say, provided that what I already said - including >> demonstrating trivial workarounds that allow to circumvent this feature >> with extreme ease - had no effect. > > You keep bringing that up. I keep having to correct you that the RFC > does not target your specific example (it's a simple file extension > filter). Then, you bring it up again...continuing to ignore the > examples provided where it could assist in preventing the whole jpeg > EXIF mess in the wild. I think it won't even prevent that to happen. But this is another long story to explain why. I also voted no for pretty much the same root reasons, it is a fake sense of security. Yes, it may help some basic cases, reducing the surface of attack but that's all about it. This is why I see it as another safemode or magic quotes, not from a feature point of view, but how it tries to solve an actual problem using a very partial and weak solution. I am also not very interested to enter the debate again but to state why I voted no. I admire Yasuo in his constant effort to improve PHP security from an end user point of view and I sadly disagree with the solution he provides with this RFC. Cheers, Pierre