On Thu, Feb 5, 2015 at 5:20 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi Leigh, > > On Thu, Feb 5, 2015 at 5:31 PM, Leigh <lei...@gmail.com> wrote: > >> On 5 February 2015 at 05:37, Adam Harvey <ahar...@php.net> wrote: >> > I'm not totally clear on what this RFC is proposing, honestly. Is the >> > new script statement meant to only include files that are entirely >> > wrapped in <?php and ?> tags? Are files included that way assumed to >> > be PHP and don't require <?php and ?> tags? Something else? >> > >> >> This is my initial reaction to the RFC, it doesn't state the >> _specific_ difference between include/script. I understand what was >> proposed in the nophptags RFC, but I have to make an assumption for >> this RFC. >> >> My assumption is that you want script* to not require <?php to begin >> parsing. i.e. including /etc/passwd would be a parse failure. > > > I'm proposing *SCRIPT* only inclusion. This can be done by > > - allowing "<?php" only at to top of script > - not allowing "?>" anywhere (We may allow at the end possibly) > > Those who do not understand my point. > Please search by "PHP LFI" or "PHP file inclusion" for real life > security issues.
I do understand what you try to achieve, from all point of view. However I strongly disagree with this as a security improvement. I see this more as yet another attempt to replace what should be done at the OS level. Cheers, -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
