On Fri, Feb 6, 2015 at 11:35 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi Pierre, > > On Fri, Feb 6, 2015 at 1:16 PM, Pierre Joye <pierre....@gmail.com> wrote: >> >> > With SElinux, we can restrict access. However, PHP should be able to >> > read/write >> > uploaded files. PHP just read and execute them with include. >> >> Again, I am talking about executing files. You can exclude a file, >> path, folder for being invoked with a handler or similar things on a >> web server. It has nothing to do with the PHP ability to access this >> file as normal data. That won't prevent a file_get_contents+eval but >> you get the idea. > > > OK. > >> >> >> > Is windows possible to prevent PHP to load script and execute? While >> > allowing write/read access? >> >> Yes and no. It is a web server role. Linux allows access restrictions >> too, windows only provides a much more fine grained ACL. But again, it >> is not what I am referring to. >> >> >> > I have similar idea for PHP to have data only dirs. >> >> We have that already, not for php, but for web servers. This is their >> job to deal with that. > > > Yes, indeed. > engine=off > per dirs. This is what I suggest people. It cannot prevent other dir's > PHP scripts to load & execute. Public upload dir must have this setting. > > My idea is controlling it from PHP, not as web server management. > It's better than per dir "engine=off". > It's not too important for me now, so it's not my priority.
But it is the key point. It is not PHP role to do it. PHP is not alone. It is a server configuration job. But I have said that already many times, we got our points :) -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
