Hi Dmitry, On Tue, Feb 24, 2015 at 4:00 PM, Dmitry Stogov <dmi...@zend.com> wrote:
> Use E_ERROR. > > >> >> >> https://github.com/php/php-src/pull/1111/files#diff-93ad74868f98ff7232ebea00007c8b7fR624 >> >> Does engine exception catches error from zend_error_noreturn()? >> > > no. it'll be changed into zend_error(). > Thank you for the comment. I'm not a security expert, but I think that adding check for script > extension won't add significant level of protection. > I agree. For developers who have more than average skills, this RFC would not be helpful. File inclusions by readfile()/etc are fatal as well also. Users must be careful anyway. My objective is to reduce risk of server takeover by script inclusions as low as other languages and being nice to new developers. I've audited number of web applications written by various languages, there aren't much difference in programmers' skills. My samples are too few and do not represent actual figures, but we'll have less vulnerable PHP apps by this. IMHO. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
