Hi, 2012/4/10 Luke Scott <l...@cywh.com>: > On Apr 9, 2012, at 9:08 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > >>> I would actually suggest that require/include stop supporting remote >>> files all together. But that can be a different RFC. >>> >>> This "security problem" isn't a problem with common sense. >> >> Requiring/Including remote file is not bad, just like embedded mode >> of PHP is not bad. > > You can fetch a remote file with curl, socket functions, he'll even > file_get_contents. Point is you shouldn't be using require/include for > including remote files. It's not the purpose of these functions, and > even though "you can" it doesn't mean you should and it's highly > discouraged.
I strongly discourage setting allow_url_include=on, too. Enabling it only when it is needed is okay. I think you are concerned about security, so you could agree to have option for disabling embedded mode by option, couldn't you? > > It's not a core PHP problem. It's programming problem. > > Where I work we forbid certain things like this for good reason. We > also have a code review process. All code is checked by another > developer before it gets commited. Even my code, and I'm a manager. > This should be done at the very least. Some companies do this and then > have a third party audit the code on top of it. Letting programmers decide what to do is good as well as giving secure default and secure standards. PHP is programming language anyway. Programming languages should give freedom to write suicide code more or less. Otherwise, it will limit creative work of programmers. Not limiting or prohibiting some feature, "Setting reasonable default behavior" is what PHP project should do. IMO. >> They are bad for security if they are enabled by default or mandatory. > > Again nothing has changed with this RFC. That's the problem. If PHP is going to drop mandatory embedding, PHP should better to remove LFI mess due to mandatory embed mode. IMHO Mandatory embedded mode is insecure than optional one. If other scripting languages have mandatory embed mode, then it may stay as it is now. However, PHP is the only one that is too weak to LFI. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
