Hi Stas, On Thu, Feb 26, 2015 at 7:01 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> On Thu, Feb 26, 2015 at 5:51 PM, Stanislav Malyshev <smalys...@gmail.com> > wrote: > >> > This can be prevented by restricting phar archive name or forbid all >> > URI name at all. The latter is better choice. >> >> If by "all uri" you mean all streams, that would be very high burden, >> which may break many applications using streams, including phar handling. >> > > Phar has 2 issues. > > 1. It uses URI form for script, but allow_url_include is INI_SYSTEM. > 2. Phar allows any filename extension including none. > > Resolution for these requires BC. We may choose both or one of them. > If there is better idea, we may choose it also. > SInce allow_url_include change is very simple one, I've just made new RFC for it. https://wiki.php.net/rfc/allow_url_include If you find any other issue like this that relates to this RFC, please let me know I'll put this discussion shortly. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
