Hi Stas, On Thu, Feb 26, 2015 at 8:26 AM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> Padraic, I'm not really interested in another prolonged discussion, > especially where my arguments are ignored or misconstrued and then > dismissed. I have explained my opinion, if somebody has questions about > the substance of my arguments or need me to clarify my points, rather > than flat-out denial of what I am saying, they know where to find me. I > think this RFC is bad. You think it's excellent. I tried to explain my > point to you, judging by your responses, I failed to convey my meaning. > I am probably bad at this, but I'm not going to become better by > repeating the same over and over. > I'm not ignoring your discussion at all. That's why I was proposed context based protection before. It turned out context based detection does not work well at all with your discussion. So I switched back to original idea which detects filename extension. As I stated in the RFC, we have/had so many script/file inclusion vulnerabilities in past. F-Secure which is one of antivirus vendor reports image based PHP script malware is increasing! We can easily find WordPress users who were installed WebShell by attackers, for example. What I'm proposing is to introduce effective mitigation (defense in depth) against _fatal_ security breach. Your discussion for this RFC does not negate the protection proposed. IMHO. If you don't like or don't need the protection, you can easily disable it while the protection can protect many programs/users against fatal security breach. (I'm not saying the proposal can prevent all kinds of codes/attacks) I don't think attackers can circumvent the default configuration. If it can, please let me know. Please keep in mind that we are discussing for include/require security. I hope you realize the benefits of this proposal. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
