Hi! > Some of you are tired with this topic, but please take a look the RFC > > [RFC] Script only includes - this is 3rd version. > https://wiki.php.net/rfc/script_only_include > > Please let me know what you like or dislike.
I think there are several issues with this RFC: 1. It does not protect against all the problems it purports to protect. I.e. if you want to protect against local PHP code accessing evil uploaded files, local PHP code can also do echo file_get_contents('/etc/paswd') and still have a problem (actually, very common LFI issue). Even if the application only allows to require random file, it may be possible to inject data via other means - such as data stream, URL, temp files, session files, etc. Upload is not the only way inputs can be controlled. 2. Legitimate files can include <? as byte sequence - in fact, it is almost guaranteed big enough binary file would contain it. Restricting upload of such files would break uploading functionality on many sites. 3. General approach of this RFC is, given site with glaring security hole in their code, give them a measure of protection against some of the consequences. This looks like safe_mode approach, and that proved ineffective in the past. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php