Hi!
> Will it add a significant level of protection? No.
>
> Does it add protection? Yes.
>
> Each time we add some incremental security hardening, we make it a bit
> harder to create vulnerabilities. In this case, if there were code
In this case, it seems not to be much harder than changing an
Hi Dmitry,
On 24 February 2015 at 07:00, Dmitry Stogov wrote:
> I'm not a security expert, but I think that adding check for script
> extension won't add significant level of protection.
Will it add a significant level of protection? No.
Does it add protection? Yes.
Each time we add some incre
Hi all,
On Tue, Feb 24, 2015 at 7:20 PM, Yasuo Ohgaki wrote:
> On Tue, Feb 24, 2015 at 4:00 PM, Dmitry Stogov wrote:
>
>> Use E_ERROR.
>>
>>
>>>
>>>
>>> https://github.com/php/php-src/pull//files#diff-93ad74868f98ff7232ebea7c8b7fR624
>>>
>>> Does engine exception catches error from zend
Hi Dmitry,
On Tue, Feb 24, 2015 at 4:00 PM, Dmitry Stogov wrote:
> Use E_ERROR.
>
>
>>
>>
>> https://github.com/php/php-src/pull//files#diff-93ad74868f98ff7232ebea7c8b7fR624
>>
>> Does engine exception catches error from zend_error_noreturn()?
>>
>
> no. it'll be changed into zend_error(
On Mon, Feb 23, 2015 at 6:55 AM, Yasuo Ohgaki wrote:
> Hi Dmitry and Nikita,
>
> On Mon, Feb 23, 2015 at 6:23 AM, Yasuo Ohgaki wrote:
>
>> I wrote patch and made adjustment in the RFC
>> https://wiki.php.net/rfc/script_only_include
>> https://github.com/php/php-src/pull/
>> Where to check fi
Hi Stas,
On Mon, Feb 23, 2015 at 5:02 PM, Stanislav Malyshev
wrote:
> > I noticed very strange behavior under ZTS build with this patch.
> > It turned out that compiler_globals is not accessible under ZTS build
> > according to gdb.
> >
> > Is this intended? If so, where should I put script_exte
Hi!
> I noticed very strange behavior under ZTS build with this patch.
> It turned out that compiler_globals is not accessible under ZTS build
> according to gdb.
>
> Is this intended? If so, where should I put script_extensions char array?
That doesn't look right. If compiler_globals weren't ac
Hi all, Zend engine experts especially,
On Mon, Feb 23, 2015 at 6:23 AM, Yasuo Ohgaki wrote:
> I wrote patch and made adjustment in the RFC
> https://wiki.php.net/rfc/script_only_include
> https://github.com/php/php-src/pull/
> Where to check filename extension is subject to be changed.
> At
Hi Dmitry and Nikita,
On Mon, Feb 23, 2015 at 6:23 AM, Yasuo Ohgaki wrote:
> I wrote patch and made adjustment in the RFC
> https://wiki.php.net/rfc/script_only_include
> https://github.com/php/php-src/pull/
> Where to check filename extension is subject to be changed.
> At first, I thought
