Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83964 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 82039 invoked from network); 27 Feb 2015 06:55:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Feb 2015 06:55:45 -0000 Authentication-Results: pb1.pair.com header.from=laruence@php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=xinchen.h@zend.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 209.85.215.50 as permitted sender) X-PHP-List-Original-Sender: xinchen.h@zend.com X-Host-Fingerprint: 209.85.215.50 mail-la0-f50.google.com Received: from [209.85.215.50] ([209.85.215.50:44730] helo=mail-la0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6F/12-32582-EE410F45 for ; Fri, 27 Feb 2015 01:55:43 -0500 Received: by lams18 with SMTP id s18so15643836lam.11 for ; Thu, 26 Feb 2015 22:55:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=T/2FcfhFrDCwZt57ysyJT25D0hpOIz8T6KtRh5F1KHA=; b=U373ZBpy3Rb+wv9P0ao3fYRlwf0cV/Os20D9VZG0GEmM7q7xHcb5UxHCkl0Hc0urPG 0IqM+eAmpIYLuO/GmAr4dXPJvGw/jEfmJLshg6gXlaIscoB93zDt9JyJfytM5Cq1gtYO 6uSrp9laHHRd51jp2YjifNZEIQPuR9lesMsUv6v0Dl/fRCWoukIqIgHaVZ28Q7VVMl55 TkSI7UhkFY/0AhENVymYXUj7tN8Js19qqPj/W30TBNO9xn9Ti7hKccL7ULK2HU26SBKY JU8Dvr6HoV+VzElqcAeY56AaUEsdkTsgEDYHPWANKGvLLQmmOS++TbEhlHsGOH0LHf8K I88Q== X-Gm-Message-State: ALoCoQkFirmc0ooX7+Jn+C8U3IiwWA4aSS3QvPrW3tWCO3an9OVS9TaZJ4ImP/On/7skU0saR5Fb+wj5yQn26dOuYAMhImOPkAun/kwHJYDGkvGmonw1XhF4WUDIstbQ7w5WTO/PW9/EeZjIZ0h1KKpqOwZhJIvZqw== X-Received: by 10.152.4.5 with SMTP id g5mr10845393lag.119.1425020139823; Thu, 26 Feb 2015 22:55:39 -0800 (PST) Received: from mail-lb0-f169.google.com (mail-lb0-f169.google.com. [209.85.217.169]) by mx.google.com with ESMTPSA id an8sm637562lbc.45.2015.02.26.22.55.38 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Feb 2015 22:55:38 -0800 (PST) Received: by lbiz11 with SMTP id z11so15458882lbi.8 for ; Thu, 26 Feb 2015 22:55:37 -0800 (PST) X-Received: by 10.112.130.39 with SMTP id ob7mr1361931lbb.32.1425020137488; Thu, 26 Feb 2015 22:55:37 -0800 (PST) MIME-Version: 1.0 Received: by 10.114.28.198 with HTTP; Thu, 26 Feb 2015 22:55:17 -0800 (PST) In-Reply-To: References: Date: Fri, 27 Feb 2015 14:55:17 +0800 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Remove allow_url_include INI From: laruence@php.net (Xinchen Hui) Hey: On Fri, Feb 27, 2015 at 11:44 AM, Yasuo Ohgaki wrote: > Hi all, > > This is RFC for removing "allow_url_include" INI option. [1] > > During "Script only include" RFC[2] discussion, stream wrapper issue is > raised. > I was thinking this issue as a separate issue, but it seems others are not. > > "Script only include" RFC does not cover stream wrapper hole. This RFC > addresses > the hole created by stream wrappers. Those who may be concerned this hole > in "Script > only include" RFC may reconsider your votes by this. > > Without this RFC, "Script only include" RFC may have infinite number of > holes. hmm, does that means, if this RFC won't pass, then script only include RFC should also be rejected? if yes, then maybe you should put them together? thanks > This RFC closes them and make "Script only include" RFC more effective. > > I don't use phar on regular basis, feedback from phar users are appreciated. > If you find yet another hole in [2], please let me know. > > [1] https://wiki.php.net/rfc/allow_url_include > [2] https://wiki.php.net/rfc/script_only_include > > Regards, > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net -- Xinchen Hui @Laruence http://www.laruence.com/