Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86242 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 90021 invoked from network); 16 May 2015 13:04:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 May 2015 13:04:26 -0000 Authentication-Results: pb1.pair.com smtp.mail=francois@php.net; spf=unknown; sender-id=unknown Authentication-Results: pb1.pair.com header.from=francois@php.net; sender-id=unknown Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 212.27.42.2 as permitted sender) X-PHP-List-Original-Sender: francois@php.net X-Host-Fingerprint: 212.27.42.2 smtp2-g21.free.fr Received: from [212.27.42.2] ([212.27.42.2:26243] helo=smtp2-g21.free.fr) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0D/10-14891-65047555 for ; Sat, 16 May 2015 09:04:25 -0400 Received: from moorea (unknown [82.240.16.115]) by smtp2-g21.free.fr (Postfix) with ESMTP id 6B5BE4B01C9; Sat, 16 May 2015 15:03:11 +0200 (CEST) Reply-To: To: "'Yasuo Ohgaki'" , References: In-Reply-To: Date: Sat, 16 May 2015 15:04:13 +0200 Message-ID: <001101d08fd8$cf5beb40$6e13c1c0$@php.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQNjcBAr0F21DnsJ9DC0MO60YK/z6ZpYzf0Q Content-Language: fr X-Antivirus: avast! (VPS 150516-0, 16/05/2015), Outbound message X-Antivirus-Status: Clean Subject: RE: [PHP-DEV] Preload scripts and preloaded scripts only options From: francois@php.net (=?utf-8?Q?Fran=C3=A7ois_Laupretre?=) > De : yohgaki@gmail.com [mailto:yohgaki@gmail.com] De la part de Yasuo > Ohgaki >=20 > As some of you know that I'm trying to to eliminate script inclusion = attack. > I come up with another idea which may have consensus. >=20 > PHP compiler is fast enough for almost all apps without script = preloading. > However, large sites take advantage of opcache_compile_file() to = maximize > the performance/response. >=20 > How about have a preloaded scripts configuration? > In addition, how about have a option that allows preloaded script = only? >=20 > This way, PHP will execute only scripts listed in the "whitelist". > This is perfect solution for eliminating php script inclusion attacks. > In addition, users don't have to preload script one by one using > opcache_compile_file(). >=20 > These options may be PHP/Zend or opcache options. Does it mean you preload every script you could use ? In a typical = application with potential access to, say, 4,000/5,000 PHP scripts, does = it mean you will preload them all before running anything ? I hope it is = not the case because it's generally impossible to know in advance which = files you'll need. That's even the main benfit of autoloading. An idea I had during a previous thread about script inclusion is a way = to register a list of patterns that paths should match. The main script = would register them and, then, every include/require would be filtered = through the list. It just requires to run realpath() and match the = result against a set of patterns. Don't know the performance impact. = Just an idea. Regards Fran=C3=A7ois