Hi Xinchen, On Fri, Feb 27, 2015 at 4:45 PM, Xinchen Hui <larue...@php.net> wrote:
> Sorry, but I am confused by the point, do you want to disable include > a remote php file or not? > > if yes, how about with allow_url_fopen? > > eval(file_get_contents(http://xxxxxx/)); > > thanks > My objective is to disable "local script/file inclusion" by include/require with default usage. We have been added mitigations like allow_url_include=Off and NULL byte restriction for filename. Number of vulnerable applications are reduced, but there are many compare to other languages still. (This RFC removes allow_url_include, but introduce more specific/restrictive API and disables include 'phar://phar_file/script.php'; by default) Regarding eval(file_get_contents(http://xxxxxx/)); This kind of operation can be done in other languages also. These codes are not scope of my RFCs. If user specified to do so, it's user's problem. I would like to make PHP as secure as possible with default usage. e.g. Make include($_GET['var') not to read/execute files, but raise proper errors where it is possible as other languages do. This can be done by https://wiki.php.net/rfc/script_only_include and https://wiki.php.net/rfc/allow_url_include If anyone find missing piece, please let me know. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
