Hi Pierre, On Tue, Feb 10, 2015 at 6:19 PM, Pierre Joye <pierre....@gmail.com> wrote:
> On Tue, Feb 10, 2015 at 7:52 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > Hi all, > > > > Some of you are tired with this topic, but please take a look the RFC > > > > [RFC] Script only includes - this is 3rd version. > > https://wiki.php.net/rfc/script_only_include > > > > Please let me know what you like or dislike. > > I said before but this RFC tries to solve a problem using yet another > "security" feature in the engine while the OS and the webserver > provides way better solutions without adding a possible new pandora > box from a security point of view. Many extensions may have to deal > with it too. I can only create an empty for all upcoming CVEs about > xyz not following script_embed. Alone that tells me that we should not > try again to make php "more secure" using such features. > > I suppose script_embed ini setting is siimilar to open_basedir but for > exec only, which would prevent any script to be exec'ed (require, > include, via handlers but works for fopen&co) while open_basedir would > remain the same (aka also for fopen&co). Now, that does prevent one to > shoot himself in the foot, eval(file_get_contents());. Yes, this is > stupid thing to do, just a bit more stupid that require > "someuploadedfile"; but not much more. Trying to implement security > measures to prevent people to exec codes from an unknown file is a bad > idea. They will do it one way or another. And if anyone application > still do include/require(random/uploaded files), then they surely have > many other problems to solve but none of them is really a php problem I think I understood your point of view perfectly and thank you for your comment. We just have different point of views. This is the last serious PHP design issue for me. I've been thinking how it could be resolved for a long time and this is the best. I hope you agree to remove risks of script inclusions. Let's be nicer to new PHP users! Don't let them down by embedded mode include()/require()! Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
