Hi,
2012/4/10 Stas Malyshev <smalys...@sugarcrm.com>: > Hi! > >>> I'm not sure I follow - which PHP vulnerability you are talking about? >> >> Local file includes. (LFI) > > I'm not sure I understand - where's the vulnerability? > >> There is a null byte protection for LFI and I really like to the protection. >> It's also beneficial to other problems. However, it would not help codes >> like "include $_REQUEST['var']" > > Don't write such code. It's like saying exec() function is a > "vulnerability" in libc. You instruct PHP to run code based on user > input - that's what PHP will be doing, it's not a "vulnerability" by any > definition. I agree. Programmer should not write that. I would not propose the RFC if PHP is used as embedded languages mainly or the vulnerability is non fatal. By making embedded mode non mandatory, almost all issues will be gone. Why shouldn't we? Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
