On Apr 9, 2012, at 10:03 PM, Yasuo Ohgaki <[email protected]> wrote:
> I strongly discourage settingallow_url_include=on, too.
Good.
> Enabling it only when it is needed is okay.
No it's not. There is no reason to do so other than backwards
compatibility for very old code.
> I think you are concerned about security,
Absolutely.
> so you could agree to have
> option for disabling embedded mode by option, couldn't you?
Sure it can be an option. But it can't be the default, at least right
away. It's unreasonable. I would prefer an environmental variable to
choose the mode though. I'm not opposed to a php.ini option, but some
people are
(If by embedded mode you mean template mode, and non-embedded mode as
"pure code mode").
I still fail to see what this has to do with allow_url_include.
> Letting programmers decide what to do
Not in all cases.
> Programming languages should give freedom to write suicide code
> more or less.
No, it shouldn't.
All that you've said comes down to this:
Don't write bad code. Configure your web server properly.
The RFC isn't meant to address these issues, and quite frankly it
isn't a core PHP issue. It's no different than any language with an
eval() statement.
Keep in mind an RFC isn't gospel. And it's still being drafted. We
need to give Tom a chance to finish it.
Luke