Hi Jordi, On 25 February 2015 at 23:09, Jordi Boggiano <j.boggi...@seld.be> wrote: > On 25/02/2015 22:46, Stanislav Malyshev wrote: >> >> 2. I think this RFC provides false sense of security for people that >> create vulnerable code and lets them think it's OK to have variable >> includes without adequate safety, since they are "protected" by these >> changes. > > People that are clueless already do not validate anything and are *NOT* > protected by this RFC. People that know what they are doing probably do not > need this patch. So the way I see it it's a win for random crappy code out > there, and a noop at worst for the others.
Not so. From a defense in depth perpsective (perhaps the programmer in the next seat is error prone), I'd expect it to be enabled anyway. You lose nothing by using it. >> 3. I think it causes significant BC break which might be warranted in >> case it provides major improvement in security, but IMO in the light of >> the above it does not provide even minor one. > > A way to mitigate this might be to change the default to include a few more > common extensions like phtml, inc, or whatever. As those are all commonly > associated with PHP and offer no good reason to be allowed in user uploads, > I guess it's safe. No objections here for common extensions well established as being intentionally PHP bearing files. Paddy -- Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
