Re: [RFC] No PHP tags

From:	Yasuo Ohgaki	Date:	Tue, 11 Feb 2014 17:42:13 +0000
Subject:	Re: [RFC] No PHP tags
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi all,

Let me rephrase. Does anyone argue that the fact

Local script inclusion is *much grater security threat* than local script
expose.

"Local script expose" is the only drawback of this RFC.
Currently, insecure include()/require() allows script execution.
With this RFC, insecure include()/require() may allow script expose.

Latter is obvious error as it shows wrong behavior while script execution
is
not obvious at all. If user care to script expose, they can simply add
"<?php"
at the top of script as it is now.

We can make secure program with register_globals=On as well as embed
everything by default. The same argument applies here. IMHO.


--
Yasuo Ohgaki
[email protected]


On Mon, Feb 10, 2014 at 4:35 PM, Yasuo Ohgaki <[email protected]> wrote:

> Hi all,
>
> "Optional PHP tags by php.ini and CLI options" RFC has been discussed very
> long time.
>
> https://wiki.php.net/rfc/nophptags
>
> I would like to know is there anyone who would like not to have
> this. I think it's good counter measure for LFI, but you might have
> different perspective.
>
> If it is possible, I would like to address as much as opinions possible
> before voting.
>
> Are there anyone who think we should have this?
> What is the reason?
>
> Thank you
>
> --
> Yasuo Ohgaki
> [email protected]
>
>


   

Thread (37 messages)

• Yasuo OhgakiMon, 10 Feb 2014 07:35:28 +0000
  • Stas MalyshevMon, 10 Feb 2014 07:56:35 +0000
  • Rasmus LerdorfMon, 10 Feb 2014 08:14:20 +0000
    • Yasuo OhgakiMon, 10 Feb 2014 21:40:12 +0000
  • Andrea FauldsMon, 10 Feb 2014 12:24:46 +0000
  • Sebastian KrebsMon, 10 Feb 2014 14:16:44 +0000
    • Yasuo OhgakiMon, 10 Feb 2014 21:42:15 +0000
      • Madara UchihaMon, 10 Feb 2014 22:39:51 +0000
      • Lester CaineMon, 10 Feb 2014 23:35:07 +0000
  • Kris CraigTue, 11 Feb 2014 00:29:35 +0000
  • Yasuo OhgakiTue, 11 Feb 2014 17:42:13 +0000Re: [RFC] No PHP tags
    • Rasmus LerdorfTue, 11 Feb 2014 18:10:44 +0000Re: Re: [RFC] No PHP tags
      • Yasuo OhgakiTue, 11 Feb 2014 23:13:30 +0000
        • Yasuo OhgakiTue, 11 Feb 2014 23:33:32 +0000
          • Rasmus LerdorfWed, 12 Feb 2014 01:29:01 +0000
            • Yasuo OhgakiWed, 12 Feb 2014 02:16:20 +0000
        • Lester CaineTue, 11 Feb 2014 23:43:10 +0000
          • Yasuo OhgakiWed, 12 Feb 2014 01:02:26 +0000
            • Lester CaineWed, 12 Feb 2014 05:39:44 +0000
              • Lester CaineWed, 12 Feb 2014 05:56:37 +0000
                • Yasuo OhgakiWed, 12 Feb 2014 06:17:38 +0000
                  • Lester CaineWed, 12 Feb 2014 07:15:40 +0000
                    • Yasuo OhgakiWed, 12 Feb 2014 08:04:29 +0000
              • Yasuo OhgakiWed, 12 Feb 2014 06:26:21 +0000
    • Yasuo OhgakiTue, 11 Feb 2014 18:11:03 +0000
    • Lester CaineTue, 11 Feb 2014 19:26:15 +0000Re: Re: [RFC] No PHP tags
    • Rowan CollinsWed, 12 Feb 2014 22:43:04 +0000Re: Re: [RFC] No PHP tags
      • Yasuo OhgakiThu, 13 Feb 2014 01:30:52 +0000
        • Rasmus LerdorfThu, 13 Feb 2014 15:07:41 +0000
          • Yasuo OhgakiThu, 13 Feb 2014 22:51:59 +0000
            • Rasmus LerdorfFri, 14 Feb 2014 00:00:53 +0000
              • Yasuo OhgakiFri, 14 Feb 2014 01:01:35 +0000
        • Rowan CollinsFri, 14 Feb 2014 17:10:08 +0000
          • Yasuo OhgakiFri, 14 Feb 2014 22:28:08 +0000
            • Johannes SchlüterFri, 14 Feb 2014 23:53:44 +0000
              • Yasuo OhgakiSat, 15 Feb 2014 00:03:23 +0000
• Andrey AndreevTue, 11 Feb 2014 13:21:16 +0000Re: [RFC] No PHP tags