Re: RFC: source files without opening tag

From: Date: Tue, 10 Apr 2012 03:12:12 +0000
Subject: Re: RFC: source files without opening tag
References: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Hi,

2012/4/10 Stas Malyshev <[email protected]>:
> Hi!
>
>> LFI risk is unique to PHP. The cause of risk is mandatory embedded script.
>
> No it's not. If you write Python code that loads code from random file
> and evaluates it, it will be "vulnerability in Python". If you write in
> in Bash, it would be "vulnerability in bash". If you write it in C, it
> will be "vulnerability in C". I don't see anything unique to PHP here.

Thank you for pointing out the incorrect statement.
I know the condition to allow LFI for Perl/Ruby, also.
LFI with PHP is just too easy :)

As I wrote in the RFC, PHP would be better as safe as other major
languages. Better means it is not a mandatory.

Regards,

--
Yasuo Ohgaki
[email protected]

Thread (109 messages)

« previous php.internals (#59609) next »