On Tue, Feb 10, 2015 at 7:52 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi all, > > Some of you are tired with this topic, but please take a look the RFC > > [RFC] Script only includes - this is 3rd version. > https://wiki.php.net/rfc/script_only_include > > Please let me know what you like or dislike.
I said before but this RFC tries to solve a problem using yet another "security" feature in the engine while the OS and the webserver provides way better solutions without adding a possible new pandora box from a security point of view. Many extensions may have to deal with it too. I can only create an empty for all upcoming CVEs about xyz not following script_embed. Alone that tells me that we should not try again to make php "more secure" using such features. I suppose script_embed ini setting is siimilar to open_basedir but for exec only, which would prevent any script to be exec'ed (require, include, via handlers but works for fopen&co) while open_basedir would remain the same (aka also for fopen&co). Now, that does prevent one to shoot himself in the foot, eval(file_get_contents());. Yes, this is stupid thing to do, just a bit more stupid that require "someuploadedfile"; but not much more. Trying to implement security measures to prevent people to exec codes from an unknown file is a bad idea. They will do it one way or another. And if anyone application still do include/require(random/uploaded files), then they surely have many other problems to solve but none of them is really a php problem. Cheers, -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
