Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86241
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 72397 invoked from network); 16 May 2015 09:19:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 May 2015 09:19:05 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.53 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.218.53 mail-oi0-f53.google.com  
Received: from [209.85.218.53] ([209.85.218.53:34336] helo=mail-oi0-f53.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 02/D0-01291-78B07555 for <internals@lists.php.net>; Sat, 16 May 2015 05:19:03 -0400
Received: by oiko83 with SMTP id o83so99217120oik.1
        for <internals@lists.php.net>; Sat, 16 May 2015 02:19:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:from:date:message-id:subject:to:content-type;
        bh=YutvWR5SJ4z4C1yzAxtoKQuDW62Bd2pN8pUGOpcX5KI=;
        b=jtjXVq5UPv4WD7WPudnsvVC74HHEIvTycnssutAPA0jY1GHrq473RGjcfy/mW8yE/v
         mOkKnwEyJCYu/Auz/+vpZDn3/XtSbkDZZfqeVadcxSYFGHUZYxVdPxkG0iSdHMxOVecm
         E9ncgblxDqy/EC/GDpPaWORoTdG6h8jnOPy8XolYlKBLkqnwOrY7cU9rmic/RdqwUqS7
         VFyvGHwtstmFZiIUpIP68xUFnAQRe0zsDz14uNnJj7nWs6Pi1Rlqa3e63smLU23oi16j
         PgoXbRpkqp5aPI0FdU0QR7NgyrPE+L6AxCXt0+gicLcMLXRXlhXcuv7HJujOdKLrrhj2
         C5kg==
X-Received: by 10.60.65.97 with SMTP id w1mr11277849oes.10.1431767940649; Sat,
 16 May 2015 02:19:00 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.202.104.196 with HTTP; Sat, 16 May 2015 02:18:20 -0700 (PDT)
Date: Sat, 16 May 2015 18:18:20 +0900
X-Google-Sender-Auth: 1t7BCD-gxOXiuQUbgivJ7gbiXbQ
Message-ID: <CAGa2bXYQuC8mfUxwSTS4rQ2M5afkogLBAjz0tJwRChhTNN21Gw@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c2558e80da2105162f7347
Subject: Preload scripts and preloaded scripts only options
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c2558e80da2105162f7347
Content-Type: text/plain; charset=UTF-8

Hi all,

As some of you know that I'm trying to to eliminate script inclusion attack.
I come up with another idea which may have consensus.

PHP compiler is fast enough for almost all apps without script preloading.
However, large sites take advantage of  opcache_compile_file() to maximize
the performance/response.

How about have a preloaded scripts configuration?
In addition, how about have a option that allows preloaded script only?

This way, PHP will execute only scripts listed in the "whitelist".
This is perfect solution for eliminating php script inclusion attacks.
In addition, users don't have to preload script one by one using
opcache_compile_file().

These options may be PHP/Zend or opcache options.

I hope everyone like the idea.
Any objections and/or comments?

Regards,

P.S. It's for PHP 7.1, of course.

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c2558e80da2105162f7347--