Hi all, On Fri, Feb 6, 2015 at 1:35 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> > I have similar idea for PHP to have data only dirs. >> >> We have that already, not for php, but for web servers. This is their >> job to deal with that. > > > Yes, indeed. > engine=off > per dirs. This is what I suggest people. It cannot prevent other dir's > PHP scripts to load & execute. Public upload dir must have this setting. > > My idea is controlling it from PHP, not as web server management. > It's better than per dir "engine=off". > It's not too important for me now, so it's not my priority. > I take it back. I must include the idea in this RFC to be complete. Since Zend allows custom script loader. Phar is integrated into PHP. There are number of byte compilers. Some of them allow encryption. We need script only include statement as well as data only dirs or script only dirs. Specifying script only dirs is better because it is white list. Programs should choose white list whenever it's possible rather than black list. If there is upload dir in system, PHP may execute files in the upload dir. It's impossible to specify/detect which one is PHP script or not because of custom script loader. Therefore, PHP must have both script only inclusion and script only dirs configuration. Any comments on this? Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
