On 12.04.2011, at 17:19, Lukas Kahwe Smith wrote: > Hi, > > So I am proposing a topic for the next meeting: > https://github.com/symfony/symfony/pull/511 > > The gist of the discussion is if to add a ".cache" postfix, making it > ".php.cache" for all generated PHP files. > Currently we already apply this convention in the standard edition for the > bootstrap files: > https://github.com/symfony/symfony-standard/blob/master/bin/build_bootstrap.php#L53 > > The above pull expands this to also be used for all files generated in the > cache dir. > > Now I do not want to start a lengthy discussion on this list, because both > sides have already presented their arguments on the pull request. So please > if you reply keep it short and focused on what I might have incorrectly > represented or have missed. > > Summary: > ------------- > > The pro's: > - automatically hide the files in IDE indexes and CI tools > > The con's: > - editors will not automatically syntax highlight these files > - web servers will not interpret these files as PHP files in case of a > misconfigured document root > > Personal Comment: > -------------------------- > > I personally believe the con's do not out weight the benefit. > Adding ".php.cache" for syntax highlighting is a one time setting, > configuring to ignore the cache (and bootstrap) files is a per project task. > Furthermore, no end user will ever need to look in these files, let alone do > modifications. And even core developers will very rarely need to look in > these files. As for misconfigured document root, the config dir itself will > then also be wide open, so its not an additional attack vector. >
Appearently the phpBB guys were planning on relying on using the .php extension to "secure" their cache from reading. At any rate I have now done a new PR that limits the change to the compiled classes, since these duplicate Framework class definitions which are the real problem. I have also added a config option to change the default .php.cache (yes Henrik disagrees and wants the default to be .cache.php, but that would defeat the purpose of the PR): https://github.com/symfony/symfony/pull/633 Npw this should at least prevent IDE look ups from showing all sorts of bogus files. However this doesnt fix all the issues of the original PR, since IDE's and CI tools will now still find .php files to index in the cache dir. There is also the following PR to be able to control what gets compiled, which can help in debugging: https://github.com/symfony/symfony/pull/525 regards, Lukas Kahwe Smith [email protected] -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
