Re: Re: [RFC] No PHP tags

From:	Yasuo Ohgaki	Date:	Wed, 12 Feb 2014 06:26:21 +0000
Subject:	Re: Re: [RFC] No PHP tags
References:	1 2 3 4 5 6 7	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Lester,

On Wed, Feb 12, 2014 at 2:39 PM, Lester Caine <[email protected]> wrote:

> LFI is the one that will allow corrupted files containing .php tags to run
> if you have not taken care of them while they are being uploaded. ONLY
> permanently disabling embedding will guarantee that these files do not get
> accidentally loaded. i.e. 'changes the spirit of PHP too much' ...
>
> ----
>   function render_template($template, $template_vars) {
>     ini_set('template_mode', 'on'); // Older PHP ignores
>     include($template, $template_vars); // Or use any other method to
> render.
>
>     ini_set('template_mode', 'off'); // Older PHP ignores
>   }
> ----
>
> Simply pushes the problem around a little and still requires that
> '$template' does not point at a file that contains embedded nasties?
> include($template.'.php', $template_vars); does the job a lot easier?
>

Since current PHP has null byte attack protection,
this is good enough protection. I agree.

The objectives of this RFC is to make PHP as secure as other languages.
Other language
developers do the same silly mistakes, yet almost all of them were not
considered as
"critical security issues" unlike PHP. This is what I would like to change.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (37 messages)

• Yasuo OhgakiMon, 10 Feb 2014 07:35:28 +0000
  • Stas MalyshevMon, 10 Feb 2014 07:56:35 +0000
  • Rasmus LerdorfMon, 10 Feb 2014 08:14:20 +0000
    • Yasuo OhgakiMon, 10 Feb 2014 21:40:12 +0000
  • Andrea FauldsMon, 10 Feb 2014 12:24:46 +0000
  • Sebastian KrebsMon, 10 Feb 2014 14:16:44 +0000
    • Yasuo OhgakiMon, 10 Feb 2014 21:42:15 +0000
      • Madara UchihaMon, 10 Feb 2014 22:39:51 +0000
      • Lester CaineMon, 10 Feb 2014 23:35:07 +0000
  • Kris CraigTue, 11 Feb 2014 00:29:35 +0000
  • Yasuo OhgakiTue, 11 Feb 2014 17:42:13 +0000Re: [RFC] No PHP tags
    • Rasmus LerdorfTue, 11 Feb 2014 18:10:44 +0000Re: Re: [RFC] No PHP tags
      • Yasuo OhgakiTue, 11 Feb 2014 23:13:30 +0000
        • Yasuo OhgakiTue, 11 Feb 2014 23:33:32 +0000
          • Rasmus LerdorfWed, 12 Feb 2014 01:29:01 +0000
            • Yasuo OhgakiWed, 12 Feb 2014 02:16:20 +0000
        • Lester CaineTue, 11 Feb 2014 23:43:10 +0000
          • Yasuo OhgakiWed, 12 Feb 2014 01:02:26 +0000
            • Lester CaineWed, 12 Feb 2014 05:39:44 +0000
              • Lester CaineWed, 12 Feb 2014 05:56:37 +0000
                • Yasuo OhgakiWed, 12 Feb 2014 06:17:38 +0000
                  • Lester CaineWed, 12 Feb 2014 07:15:40 +0000
                    • Yasuo OhgakiWed, 12 Feb 2014 08:04:29 +0000
              • Yasuo OhgakiWed, 12 Feb 2014 06:26:21 +0000
    • Yasuo OhgakiTue, 11 Feb 2014 18:11:03 +0000
    • Lester CaineTue, 11 Feb 2014 19:26:15 +0000Re: Re: [RFC] No PHP tags
    • Rowan CollinsWed, 12 Feb 2014 22:43:04 +0000Re: Re: [RFC] No PHP tags
      • Yasuo OhgakiThu, 13 Feb 2014 01:30:52 +0000
        • Rasmus LerdorfThu, 13 Feb 2014 15:07:41 +0000
          • Yasuo OhgakiThu, 13 Feb 2014 22:51:59 +0000
            • Rasmus LerdorfFri, 14 Feb 2014 00:00:53 +0000
              • Yasuo OhgakiFri, 14 Feb 2014 01:01:35 +0000
        • Rowan CollinsFri, 14 Feb 2014 17:10:08 +0000
          • Yasuo OhgakiFri, 14 Feb 2014 22:28:08 +0000
            • Johannes SchlüterFri, 14 Feb 2014 23:53:44 +0000
              • Yasuo OhgakiSat, 15 Feb 2014 00:03:23 +0000
• Andrey AndreevTue, 11 Feb 2014 13:21:16 +0000Re: [RFC] No PHP tags