Hi, It seems motivation of this RFC is better to be stated. Motivation to have this RFC is
1. "File Includes" is fatal security breach. 2. The reason why PHP is unsecure to "File Include" than other language is "Mandatory embed mode" 3. Non mandatory embed mode gives option users to better security. With this RFC, PHP could be as safe as other scripting languages with respect to file includes. This RFC is fully compatible with current code. Writing backward compatible code is as few as 3 lines. Most of security measures are not perfect solutions, but mitigation, just like canary and DEP. I suppose people who are concerned with security understand the value of these protections. Is there any good reasons not to have non mandatory embed mode as a additional security measure? Why not to make it harder for attackers to exploit? In short, I'm really annoyed to hear "PHP is insecure than Ruby/Perl/Python/etc" Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
