Hi, 2012/4/10 Stas Malyshev <smalys...@sugarcrm.com>: > Hi! > >> Tom's FRC is trying to introduce tag less PHP script. >> However, it does not fix well known PHP vulnerability. i.e. LFI/RFI >> IMHO, this change introduce more complexity and do not solve >> any problem. > > I'm not sure I follow - which PHP vulnerability you are talking about?
Local file includes. (LFI) There is a null byte protection for LFI and I really like to the protection. It's also beneficial to other problems. However, it would not help codes like "include $_REQUEST['var']" LFI is fatal vulnerability. It would be better kill the vulnerability if we can. IMHO. Regards, P.S. Mandatory embedded script mode does not make much sense lately. -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
