Tom, On Mon, Apr 9, 2012 at 1:20 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi, > > > 2012/4/10 Stas Malyshev <smalys...@sugarcrm.com>: > > Hi! > > > >>> I'm not sure I follow - which PHP vulnerability you are talking about? > >> > >> Local file includes. (LFI) > > > > I'm not sure I understand - where's the vulnerability? > > > >> There is a null byte protection for LFI and I really like to the > protection. > >> It's also beneficial to other problems. However, it would not help codes > >> like "include $_REQUEST['var']" > > > > Don't write such code. It's like saying exec() function is a > > "vulnerability" in libc. You instruct PHP to run code based on user > > input - that's what PHP will be doing, it's not a "vulnerability" by any > > definition. > > I agree. Programmer should not write that. > > I would not propose the RFC if PHP is used as embedded languages mainly > or the vulnerability is non fatal. By making embedded mode non mandatory, > almost all issues will be gone. Why shouldn't we? > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Honestly, I would suggest just getting rid of "Option 1" altogether. It would end up over-complicating this to such a degree that any usefulness it might serve would be considerably diminished. As for embedded HTML, if you allow the ?> tag in these .phpp files, then that pretty much negates the entire purpose of having them to begin with. Essentially, you'd just be changing it so that, instead of defaulting to "?>" when no tag is present, it defaults to "<?php". I just don't see any value in that as a developer. A developer should *not* be including in a .phpp file classes that contain HTML within the ?> tag, period. If they need to include something that has that, they should do it in a regular .php file. An "HTML-less" PHP file needs to be exactly that; no direct HTML allowed. Otherwise, the RFC is completely and utterly pointless IMHO. I think this would be awesome for PHP 6, but I'll have to vote against it if you settle on using "Option 1" and/or allow ?> content to be embedded/included in .phpp files. If we differentiate based solely on the file extension and keep ?> tags out of it, then I'll definitely support it! --Kris
