Hi Leigh, On Thu, Feb 5, 2015 at 7:51 PM, Leigh <lei...@gmail.com> wrote:
> On 5 February 2015 at 10:24, Pierre Joye <pierre....@gmail.com> wrote: > > I do understand what you try to achieve, from all point of view. > > However I strongly disagree with this as a security improvement. I see > > this more as yet another attempt to replace what should be done at the > > OS level. > > > > I'm inclined to agree, this is just another mitigation against a > specific vector, not a solution. I'm sure given a little bit of time a > way to bypass it will be found. > > Also introducing this in PHP 7 will not fix all of the currently > broken apps, nor will it get people to start using this method even if > they do upgrade to PHP 7. > > I honestly think this is one of the cases where education is better . I think you probably didn't have chance to read my previous mail. OS protection is not perfect and PHP is still too weak to inclusion attacks... We definitely need more protections. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
