Hi all, On Fri, Feb 6, 2015 at 9:02 PM, Yasuo Ohgaki <[email protected]> wrote:
> This RFC was renamed from "script() and script_once()". > Original proposal had defect. It wasn't perfect. > > This RFC proposes "script_path" INI directive to eliminate > file/script inclusion at all via require(). > > https://wiki.php.net/rfc/script_path > > It's work in progress, but I would like to start discuss. > > I would like to know your preference. Multiple choices are OK ( +1 / -1 ) Comments are appreciated. 1. script_path INI. (Defines script path. Almost perfect solution with upload_path INI) [1] 2. upload_path INI. (Exception path in script_path. Protection against require('../../upload/evil');) [1] 3. require_embed INI (Enable/disable require()/require_once() embed(script only) mode. Temp INI) [2] 4. script()/script_once() [3] (No INI switch. Read only scripts. The same as require()/require_once(), require_embed=On ) 5. Leave as it is now (No protection against file inclusion & execution attacks.) [1] script_path defines script directory, upload_path defines exceptions under script_path. [2] require_embed is not described in current RFC. It's INI for enable/disable script only mode. require_embed should be REMOVED few years later. [3] script/script_once is not described in current RFC. It read/execute script only file. Thank you! Regards, -- Yasuo Ohgaki [email protected]
