Hi Stas,
On Sun, May 17, 2015 at 6:16 AM, Stanislav Malyshev
wrote:
> > Right. Users could implement whitelist by themselves.
>
> I'm not talking about userspace implementation, I'm talking about
> extension - which would make it work with any code as soon as extension
> is loaded.
>
I see.
Int
Hi!
> Right. Users could implement whitelist by themselves.
I'm not talking about userspace implementation, I'm talking about
extension - which would make it work with any code as soon as extension
is loaded.
> However, isn't it nice to have this feature? It does not have any
> performance penal
Hi Stas,
On Sun, May 17, 2015 at 4:53 AM, Stanislav Malyshev
wrote:
> > In addition, how about have a option that allows preloaded script only?
>
> I imagine it would be not hard to do with an extension overriding
> compile_file, etc. the same way opcache does?
>
> This way it can be implemented
Hi Johannes,
On Sat, May 16, 2015 at 11:32 PM, Johannes Schlüter
wrote:
> That whitelist is called open_basedir.
> http://php.net/manual/en/ini.core.php#ini.open-basedir
>
I'm trying to eliminate risks of script inclusion attack. open_basedir is
not good enough to
prevent
include('/path/to/upl
Hi Patrick,
On Sat, May 16, 2015 at 10:32 PM, Patrick Schaaf wrote:
> None of this whitelisting-by-filename would be practical for our setup.
> Have a look at what Smarty does with compiled templates and cached pages:
> PHP includes generated on the fly, with filenames that are not known in
> ad
Hi Francois,
On Sat, May 16, 2015 at 10:04 PM, François Laupretre
wrote:
> > De : yohg...@gmail.com [mailto:yohg...@gmail.com] De la part de Yasuo
> > Ohgaki
> >
> > As some of you know that I'm trying to to eliminate script inclusion
> attack.
> > I come up with another idea which may have cons
Hi!
> In addition, how about have a option that allows preloaded script only?
I imagine it would be not hard to do with an extension overriding
compile_file, etc. the same way opcache does?
This way it can be implemented as independent functionality not needing
modification of the engine or opca
Am 16.05.2015 16:32 schrieb "Johannes Schlüter" :
>
> That whitelist is called open_basedir.
> http://php.net/manual/en/ini.core.php#ini.open-basedir
Ahem. open_basedir is neither a list, nor is is restricted to restricting
include/require, which is the topic Yasuo is musing to do something about.
On Sat, 2015-05-16 at 15:32 +0200, Patrick Schaaf wrote:
> None of this whitelisting-by-filename would be practical for our setup.
> Have a look at what Smarty does with compiled templates and cached pages:
> PHP includes generated on the fly, with filenames that are not known in
> advance. For suc
None of this whitelisting-by-filename would be practical for our setup.
Have a look at what Smarty does with compiled templates and cached pages:
PHP includes generated on the fly, with filenames that are not known in
advance. For such usage a whitelisting per realpath prefix, would be the
only rea
> De : yohg...@gmail.com [mailto:yohg...@gmail.com] De la part de Yasuo
> Ohgaki
>
> As some of you know that I'm trying to to eliminate script inclusion attack.
> I come up with another idea which may have consensus.
>
> PHP compiler is fast enough for almost all apps without script preloading.
Hi all,
As some of you know that I'm trying to to eliminate script inclusion attack.
I come up with another idea which may have consensus.
PHP compiler is fast enough for almost all apps without script preloading.
However, large sites take advantage of opcache_compile_file() to maximize
the perf
12 matches
Mail list logo
