On 06/02/15 05:01, Yasuo Ohgaki wrote: >> But it is the key point. It is not PHP role to do it. PHP is not >> > alone. It is a server configuration job. But I have said that already >> > many times, we got our points :)
> I understand your point. > > We need both OS and PHP feature for perfection. Both of them are required. > > Current PHP just reads & executes all accessible files by include. > I think you understand my point, too :) The question is essentially CAN one prevent PHP on it's own from running things it shouldn't. In order to prevent people who do not understand the security risks from 'making a mistake'. The answer is probably only yes for a distribution that only comes from PHP. Other distributions are not following guidelines now so expecting them to do in the future is questionable? This is more about education of the whole infrastructure but I don't see the point of yet another load mechanism? I thought we had introduced all the necessary restrictions on include and require already? From a 'nannying' point of view I would have thought it was that hole which needed plugging since the people you are trying to protect will not use a new mechanism anyway? I hope that I have my own installations configured such that one can't upload material on-line that can be accessed but having to ensure third party libraries are using 'script' rather than 'include/require' seems a little problematic ... -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
