Hi! > Will it add a significant level of protection? No. > > Does it add protection? Yes. > > Each time we add some incremental security hardening, we make it a bit > harder to create vulnerabilities. In this case, if there were code
In this case, it seems not to be much harder than changing an URL a bit or uploading a file under different extension. OTOH, it creates a false sense of security - oh, I'm using the secure settings, now I can forget about caring for LFI! - and also has huge BC break potential. For me, it looks like magic quotes comeback. > injection issue, the attacker must a) include a local file (not always > useful) or b) upload some other apparently innocent file capable of > being included (extremely useful). As such, this patch would lock out > an obvious path by restricting the files that can be included to a > more limited subset. Unless you disable phar, you can still include pretty much anything by just using phar includes, as far as I can see. I'm pretty sure there are also other stream tricks possible (data://? zip://?) > Enough incremental improvements add up to a significant improvement. If that were always true, safe mode and magic quotes would still be here with us. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
