> De : yohg...@gmail.com [mailto:yohg...@gmail.com] De la part de Yasuo Ohgaki > How about alternative way that turn 'require' into non embedded mode by INI > switch?
A big NO for me, as I am using 'include/require' in a lot of programs to include template files containing mixed text/php contents. And I'm probably not the only one. Another reason is, like Adam, that I don't want another INI switch to change the interpreter behavior. When releasing a program, documenting and debugging ini switch dependencies is a nightmare. Even adding an 'extension=' line is a problem for many final users. So, please don't add another ini switch. I am not opposed to the first option, while I don't really see the 'extremely severe security breach' brought by authorizing mixed text/php-code contents. Do you mean that including a forged path will release confidential file contents ? Well, that's right, but chroot exists, and I would prefer a way to ensure the forged path is detected as such and rejected by the include statement. Something like tainting (a good candidate for inclusion in PHP 7, even if it requires more work). Cheers François -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
