Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83933 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 2865 invoked from network); 26 Feb 2015 22:40:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Feb 2015 22:40:29 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.179 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.179 mail-qc0-f179.google.com Received: from [209.85.216.179] ([209.85.216.179:38478] helo=mail-qc0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 58/73-32582-CD0AFE45 for ; Thu, 26 Feb 2015 17:40:28 -0500 Received: by qcvx3 with SMTP id x3so11118265qcv.5 for ; Thu, 26 Feb 2015 14:40:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=UaiCxU9OKT+5AHe2HIBru9syQSIkEx6suGrGEQoJjrk=; b=QByakb8HvD6aU4ndzQOeG9SkOA259W9QkQgcAq2l4VWDblJaQvENNGQ5Xi0da15h1T xbbd6Vi0OkNByGx+kj3BFmr3BCJfWA32WV6esUsHhe6mtlgsbu8nBekNwWnCzrH2P3u7 DT2prZHU/M+9G5xKkumsYk28WesrHGIG4XrpAg6LlpaqJVo4meeEw7PxK5yZ2xDwI6eZ +IvS2+kKogZIq0QGbNKFJ/TBRxB2HUWAmYNHIij0zeUrMkA1Bwgg3BYyF0RubDBQxfNu mZdp9LKmb/Heqq1AuppEbNbXe/kppetOQrTdg2xUkuAZmxGTfTywpYRhrg/0ZED50RMR 4x0A== X-Received: by 10.140.195.195 with SMTP id q186mr23265299qha.81.1424990424294; Thu, 26 Feb 2015 14:40:24 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.198.8 with HTTP; Thu, 26 Feb 2015 14:39:44 -0800 (PST) In-Reply-To: References: <54EE50CF.9090508@gmail.com> <54EE5A39.9040401@gmail.com> <54EEDE8E.6070201@gmail.com> Date: Fri, 27 Feb 2015 07:39:44 +0900 X-Google-Sender-Auth: d_9dE5MgKHitMFu5d-BD3yY91Y8 Message-ID: To: Stanislav Malyshev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1143254e0c6e1a051005705e Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1143254e0c6e1a051005705e Content-Type: text/plain; charset=UTF-8 Hi Stas, On Thu, Feb 26, 2015 at 7:01 PM, Yasuo Ohgaki wrote: > On Thu, Feb 26, 2015 at 5:51 PM, Stanislav Malyshev > wrote: > >> > This can be prevented by restricting phar archive name or forbid all >> > URI name at all. The latter is better choice. >> >> If by "all uri" you mean all streams, that would be very high burden, >> which may break many applications using streams, including phar handling. >> > > Phar has 2 issues. > > 1. It uses URI form for script, but allow_url_include is INI_SYSTEM. > 2. Phar allows any filename extension including none. > > Resolution for these requires BC. We may choose both or one of them. > If there is better idea, we may choose it also. > SInce allow_url_include change is very simple one, I've just made new RFC for it. https://wiki.php.net/rfc/allow_url_include If you find any other issue like this that relates to this RFC, please let me know I'll put this discussion shortly. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1143254e0c6e1a051005705e--