Re: [RFC] No PHP tags

From:	Yasuo Ohgaki	Date:	Tue, 11 Feb 2014 18:11:03 +0000
Subject:	Re: [RFC] No PHP tags
References:	1 2	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi all,

Let me rephrase more accurately. Does anyone argue that following fact is
debatable?

Local script inclusion is *much grater security threat* than local script
expose.

"Local script expose" is the only drawback of this RFC.
Currently, insecure include()/require() allows script execution.
With this RFC, insecure include()/require() may allow script expose.

If users care to script expose, they can simply add "<?php" at the top of
script
as it is now if script contains security sensitive data.
(Correction: Script expose could not be obvious.)

We can make secure program with register_globals=On as well as embed
everything by default. The same argument applies here. IMHO.

Regards,

--
Yasuo Ohgaki
[email protected]


On Wed, Feb 12, 2014 at 2:42 AM, Yasuo Ohgaki <[email protected]> wrote:

> Hi all,
>
> Let me rephrase. Does anyone argue that the fact
>
> Local script inclusion is *much grater security threat* than local script
> expose.
>
> "Local script expose" is the only drawback of this RFC.
> Currently, insecure include()/require() allows script execution.
> With this RFC, insecure include()/require() may allow script expose.
>
> Latter is obvious error as it shows wrong behavior while script execution
> is
> not obvious at all. If user care to script expose, they can simply add
> "<?php"
> at the top of script as it is now.
>
> We can make secure program with register_globals=On as well as embed
> everything by default. The same argument applies here. IMHO.
>
>
> --
> Yasuo Ohgaki
> [email protected]
>
>
> On Mon, Feb 10, 2014 at 4:35 PM, Yasuo Ohgaki <[email protected]> wrote:
>
>> Hi all,
>>
>> "Optional PHP tags by php.ini and CLI options" RFC has been discussed
>> very long time.
>>
>> https://wiki.php.net/rfc/nophptags
>>
>> I would like to know is there anyone who would like not to have
>> this. I think it's good counter measure for LFI, but you might have
>> different perspective.
>>
>> If it is possible, I would like to address as much as opinions possible
>> before voting.
>>
>> Are there anyone who think we should have this?
>> What is the reason?
>>
>> Thank you
>>
>> --
>> Yasuo Ohgaki
>> [email protected]
>>
>>
>


   

Thread (37 messages)

• Yasuo OhgakiMon, 10 Feb 2014 07:35:28 +0000
  • Stas MalyshevMon, 10 Feb 2014 07:56:35 +0000
  • Rasmus LerdorfMon, 10 Feb 2014 08:14:20 +0000
    • Yasuo OhgakiMon, 10 Feb 2014 21:40:12 +0000
  • Andrea FauldsMon, 10 Feb 2014 12:24:46 +0000
  • Sebastian KrebsMon, 10 Feb 2014 14:16:44 +0000
    • Yasuo OhgakiMon, 10 Feb 2014 21:42:15 +0000
      • Madara UchihaMon, 10 Feb 2014 22:39:51 +0000
      • Lester CaineMon, 10 Feb 2014 23:35:07 +0000
  • Kris CraigTue, 11 Feb 2014 00:29:35 +0000
  • Yasuo OhgakiTue, 11 Feb 2014 17:42:13 +0000Re: [RFC] No PHP tags
    • Rasmus LerdorfTue, 11 Feb 2014 18:10:44 +0000Re: Re: [RFC] No PHP tags
      • Yasuo OhgakiTue, 11 Feb 2014 23:13:30 +0000
        • Yasuo OhgakiTue, 11 Feb 2014 23:33:32 +0000
          • Rasmus LerdorfWed, 12 Feb 2014 01:29:01 +0000
            • Yasuo OhgakiWed, 12 Feb 2014 02:16:20 +0000
        • Lester CaineTue, 11 Feb 2014 23:43:10 +0000
          • Yasuo OhgakiWed, 12 Feb 2014 01:02:26 +0000
            • Lester CaineWed, 12 Feb 2014 05:39:44 +0000
              • Lester CaineWed, 12 Feb 2014 05:56:37 +0000
                • Yasuo OhgakiWed, 12 Feb 2014 06:17:38 +0000
                  • Lester CaineWed, 12 Feb 2014 07:15:40 +0000
                    • Yasuo OhgakiWed, 12 Feb 2014 08:04:29 +0000
              • Yasuo OhgakiWed, 12 Feb 2014 06:26:21 +0000
    • Yasuo OhgakiTue, 11 Feb 2014 18:11:03 +0000
    • Lester CaineTue, 11 Feb 2014 19:26:15 +0000Re: Re: [RFC] No PHP tags
    • Rowan CollinsWed, 12 Feb 2014 22:43:04 +0000Re: Re: [RFC] No PHP tags
      • Yasuo OhgakiThu, 13 Feb 2014 01:30:52 +0000
        • Rasmus LerdorfThu, 13 Feb 2014 15:07:41 +0000
          • Yasuo OhgakiThu, 13 Feb 2014 22:51:59 +0000
            • Rasmus LerdorfFri, 14 Feb 2014 00:00:53 +0000
              • Yasuo OhgakiFri, 14 Feb 2014 01:01:35 +0000
        • Rowan CollinsFri, 14 Feb 2014 17:10:08 +0000
          • Yasuo OhgakiFri, 14 Feb 2014 22:28:08 +0000
            • Johannes SchlüterFri, 14 Feb 2014 23:53:44 +0000
              • Yasuo OhgakiSat, 15 Feb 2014 00:03:23 +0000
• Andrey AndreevTue, 11 Feb 2014 13:21:16 +0000Re: [RFC] No PHP tags