Hi! > I think this will be the final discussion before vote. > This RFC is to make PHP stronger against script inclusion attacks just like > other languages. > > https://wiki.php.net/rfc/script_only_include
I still think this RFC takes a wrong road for the following reasons: 1. Having any code in your app that allows to run include on user-controlled files (I'm not talking about filtered cases but user data controlling the path) is insecure and can not be made secure. It should just never be done. Trying to find workarounds for this is like safe_mode - good idea in theory, leads to worse security in practice. 2. Default configuration would break tons of PHP scripts with extensions other than .php (very frequent case). The BC break potential of this is very big as it modifies core functionality. 3. Prohibiting phar uploads would also be a bc break, but more importantly, there still probably are ways to work around this by using phar files with extension different than .phar and then asking to include files within that phar file. As long as the eventual path would end in .php, your code would allow it. Also, the claim that move_upload_file() is obsolete is not based on anything as far as I can see. Why is it "obsolete"? -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
