On Wed, Feb 25, 2015 at 4:40 PM, Pádraic Brady <padraic.br...@gmail.com> wrote: > Stanislav, > > On 25 February 2015 at 23:26, Stanislav Malyshev <smalys...@gmail.com> wrote: >> else I can say, provided that what I already said - including >> demonstrating trivial workarounds that allow to circumvent this feature >> with extreme ease - had no effect. > > You keep bringing that up. I keep having to correct you that the RFC > does not target your specific example (it's a simple file extension > filter). Then, you bring it up again...continuing to ignore the > examples provided where it could assist in preventing the whole jpeg > EXIF mess in the wild.
I think it won't even prevent that to happen. But this is another long story to explain why. I also voted no for pretty much the same root reasons, it is a fake sense of security. Yes, it may help some basic cases, reducing the surface of attack but that's all about it. This is why I see it as another safemode or magic quotes, not from a feature point of view, but how it tries to solve an actual problem using a very partial and weak solution. I am also not very interested to enter the debate again but to state why I voted no. I admire Yasuo in his constant effort to improve PHP security from an end user point of view and I sadly disagree with the solution he provides with this RFC. Cheers, Pierre -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
