Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83968 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 89822 invoked from network); 27 Feb 2015 07:46:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Feb 2015 07:46:18 -0000 Authentication-Results: pb1.pair.com header.from=laruence@php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=xinchen.h@zend.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 209.85.217.171 as permitted sender) X-PHP-List-Original-Sender: xinchen.h@zend.com X-Host-Fingerprint: 209.85.217.171 mail-lb0-f171.google.com Received: from [209.85.217.171] ([209.85.217.171:37909] helo=mail-lb0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 77/83-32582-6C020F45 for ; Fri, 27 Feb 2015 02:46:15 -0500 Received: by lbiz11 with SMTP id z11so15660484lbi.5 for ; Thu, 26 Feb 2015 23:46:11 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=p79MN885mO/grFk5sJWaBmt6IbvL82yiwzucFhnRfK8=; b=awciGc19yWwt5nMNCdBYlo6I1SSNcMujeBkMN9/91/rBRxGyDJdJ23l9r8+UoMzcCy a2PWCGm7VH5KLAk18DzV9fMZZuXXW/TUNT9YK9WhBItO1jICP9LJLtAm1FhC5VbMr/l3 rBytkAd+Bw1VDf18xOmkNIGztRbfpiJauKleGIO5//OyZdNTYPaKy3LY/JfiM4kCF42f tylwYGBQNzTGCCVjVfFFmhAbFw/9yLXIslP/tywAOQai/1wCpTXN9dLstT4sAMPaIDxG jExt3H/BuTlW058aHxUW5oBDrOuomGF3JDA2pmDvXVEKJx8KYRd7CGECyVYGdQ+Wopic yFMw== X-Gm-Message-State: ALoCoQnm8WdxPfukBkU2DhVbIer+vhSot6iubjvU9ylkphgu2oWnRogpW7Tarpck9h7WP4H4UPQVouzhb4d/dBfomOohRoUAxXU4/rq4HTGTjPTZZ5ASkqldLOMy/oHPntdsiSsftO+/WAupXy9EYvj5li9IKRp8WA== X-Received: by 10.113.11.12 with SMTP id ee12mr11144634lbd.5.1425023170884; Thu, 26 Feb 2015 23:46:10 -0800 (PST) Received: from mail-lb0-f180.google.com (mail-lb0-f180.google.com. [209.85.217.180]) by mx.google.com with ESMTPSA id b6sm671313laa.14.2015.02.26.23.46.09 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Feb 2015 23:46:09 -0800 (PST) Received: by lbdu10 with SMTP id u10so15618327lbd.7 for ; Thu, 26 Feb 2015 23:46:08 -0800 (PST) X-Received: by 10.152.115.136 with SMTP id jo8mr11599708lab.32.1425023168613; Thu, 26 Feb 2015 23:46:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.114.28.198 with HTTP; Thu, 26 Feb 2015 23:45:48 -0800 (PST) In-Reply-To: References: Date: Fri, 27 Feb 2015 15:45:48 +0800 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Remove allow_url_include INI From: laruence@php.net (Xinchen Hui) Hey: On Fri, Feb 27, 2015 at 2:59 PM, Yasuo Ohgaki wrote: > Hi Xinchen, > > On Fri, Feb 27, 2015 at 3:55 PM, Xinchen Hui wrote: >> >> hmm, does that means, if this RFC won't pass, then script only include >> RFC should also be rejected? >> >> if yes, then maybe you should put them together? > > > Sorry I just sent previous mail before your mail. > > We need to fix this regardless of > https://wiki.php.net/rfc/script_only_include > If we have both, we close the door for "arbitrarily script execution". > (I mean almost the same as other language level) > Sorry, but I am confused by the point, do you want to disable include a remote php file or not? if yes, how about with allow_url_fopen? eval(file_get_contents(http://xxxxxx/)); thanks > Regards, > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net -- Xinchen Hui @Laruence http://www.laruence.com/