Hi Yasuo,
I have voted no, as I believe too that the change will give a false
sense of security.
In my past experience, numerous exploited applications I've seen had php
scripts (php-shells or just outputting malicious code) dropped to the
file system and most of the times the extension was ".php".
Cheers
On 25/02/2015 23:06, Yasuo Ohgaki wrote:
Hi all,
Vote for script only include/require RFC is started.
This RFC closes one of the fatal security hole in PHP programs with
simple patch.
https://wiki.php.net/rfc/script_only_include
https://github.com/php/php-src/pull/1111
Vote ends 2015/3/12
It seems there are misunderstandings about the issue and the protection.
If you would like to vote "no", please read the RFC carefully.
If you find fatal reason to reject this RFC, it is about arbitrarily code
execution
and file exposure, so please let us know the reason why.
If you have question, please ask.
Thank you for voting.
--
Yasuo Ohgaki
yohg...@ohgaki.net
--
Matteo Beccati
Development & Consulting - http://www.beccati.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
