Hi Dmitry and Nikita, On Mon, Feb 23, 2015 at 6:23 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> I wrote patch and made adjustment in the RFC > https://wiki.php.net/rfc/script_only_include > https://github.com/php/php-src/pull/1111 > Where to check filename extension is subject to be changed. > At first, I thought implementing this as PHP code is good, but > I've changed my mind. It seems better to be done in Zend code. > Opinions are appreciated. > > This RFC aims to make PHP as secure as other languages > with respect to "script inclusion" attacks. > Note: File inclusion is not a scope of this RFC. > > INI Changes: > - "php_script" -> "zend.script_extensions" > - "Allow all files": "*" -> NULL or "" > > Open Issues: > - Error type - Is it OK to raise E_ERROR/E_RECOVERABLE_ERROR in > zend_language_scanner.c? > - Vote type - 50%+1 or 2/3 > > If there is anyone who would like to vote "no" for this RFC, > I would like to know the reason and try to address/resolve issue you have. > > Thank you. > We don't have care much about which error is raised from Zend engine, since there will be engine exception. My questions are, is it ok to raise E_ERROR or E_RECOVERABLE_ERROR from zend_language_scanner.c? https://github.com/php/php-src/pull/1111/files#diff-93ad74868f98ff7232ebea00007c8b7fR624 Does engine exception catches error from zend_error_noreturn()? Thank you. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net