> De : yohg...@gmail.com [mailto:yohg...@gmail.com] De la part de Yasuo > Ohgaki > > As some of you know that I'm trying to to eliminate script inclusion attack. > I come up with another idea which may have consensus. > > PHP compiler is fast enough for almost all apps without script preloading. > However, large sites take advantage of opcache_compile_file() to maximize > the performance/response. > > How about have a preloaded scripts configuration? > In addition, how about have a option that allows preloaded script only? > > This way, PHP will execute only scripts listed in the "whitelist". > This is perfect solution for eliminating php script inclusion attacks. > In addition, users don't have to preload script one by one using > opcache_compile_file(). > > These options may be PHP/Zend or opcache options.
Does it mean you preload every script you could use ? In a typical application with potential access to, say, 4,000/5,000 PHP scripts, does it mean you will preload them all before running anything ? I hope it is not the case because it's generally impossible to know in advance which files you'll need. That's even the main benfit of autoloading. An idea I had during a previous thread about script inclusion is a way to register a list of patterns that paths should match. The main script would register them and, then, every include/require would be filtered through the list. It just requires to run realpath() and match the result against a set of patterns. Don't know the performance impact. Just an idea. Regards François -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
