Hi Leigh, On Thu, Feb 5, 2015 at 5:31 PM, Leigh <lei...@gmail.com> wrote:
> On 5 February 2015 at 05:37, Adam Harvey <ahar...@php.net> wrote: > > I'm not totally clear on what this RFC is proposing, honestly. Is the > > new script statement meant to only include files that are entirely > > wrapped in <?php and ?> tags? Are files included that way assumed to > > be PHP and don't require <?php and ?> tags? Something else? > > > > This is my initial reaction to the RFC, it doesn't state the > _specific_ difference between include/script. I understand what was > proposed in the nophptags RFC, but I have to make an assumption for > this RFC. > > My assumption is that you want script* to not require <?php to begin > parsing. i.e. including /etc/passwd would be a parse failure. I'm proposing *SCRIPT* only inclusion. This can be done by - allowing "<?php" only at to top of script - not allowing "?>" anywhere (We may allow at the end possibly) Those who do not understand my point. Please search by "PHP LFI" or "PHP file inclusion" for real life security issues. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
