Stas Malyshev wrote:
PHP could be stronger against LFI compare to scripting languages
> as I described in previous mail.
PHP is as strong as any other language right now - if you include
user-supplied code, you lost, don't do it - no problem.
> With this RFC, infamous reputation of LFI can be removed from PHP!
I see no "infamous reputation" except the wrong one you are creating
right now. include with user-supplied argument is a security hole, it
has nothing to do with vulnerability in PHP.
Some evidence that this is an 'infamous' problem would be useful. I certainly
can only see old references to the null byte problem used for LFI which was
fixed in 5.3.4 but it's impossible to remove all the 'bad practices' from
tutorials on the internet which create many of the problems in the first place?
Certainly I can't see anything which suggests that disabling the PHP tags would
do anything for LFI? I would hope that my own sites follow the right rules to
prevent any problems already ...
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
