Hi Leigh,
On Sat, Feb 7, 2015 at 3:46 AM, Yasuo Ohgaki <[email protected]> wrote:
>
>>
>> I think this is a better solution than script{,_once}. I definitely
>> prefer it over the previous RFC
>
>
> I thought script()/script_once() is enough, but it's not.
> There are modules uses custom script loaders, including phar. Those loader
> may do whatever they want, therefore detecting/deciding file type (i.e.
> PHP script)
> by file content is wrong.
>
If parser state is used, script() solution would work and may remove
script_path.
Then it's possible try to read files as PHP script by require() excluding
upload_path/open_basedir/OS restriction. I think this is acceptable.
Please note that OS solution does not help to prevent PHP from reading
uploaded
script.
Regards,
--
Yasuo Ohgaki
[email protected]
