Hi Dmitry, On 24 February 2015 at 07:00, Dmitry Stogov <dmi...@zend.com> wrote: > I'm not a security expert, but I think that adding check for script > extension won't add significant level of protection.
Will it add a significant level of protection? No. Does it add protection? Yes. Each time we add some incremental security hardening, we make it a bit harder to create vulnerabilities. In this case, if there were code injection issue, the attacker must a) include a local file (not always useful) or b) upload some other apparently innocent file capable of being included (extremely useful). As such, this patch would lock out an obvious path by restricting the files that can be included to a more limited subset. Enough incremental improvements add up to a significant improvement. Paddy -- Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
