Re: Re: [RFC][DISCUSSION] script() and script_once()

From:	Yasuo Ohgaki	Date:	Thu, 05 Feb 2015 10:20:53 +0000
Subject:	Re: Re: [RFC][DISCUSSION] script() and script_once()
References:	1 2 3 4 5 6	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Leigh,

On Thu, Feb 5, 2015 at 5:31 PM, Leigh <[email protected]> wrote:

> On 5 February 2015 at 05:37, Adam Harvey <[email protected]> wrote:
> > I'm not totally clear on what this RFC is proposing, honestly. Is the
> > new script statement meant to only include files that are entirely
> > wrapped in <?php and ?> tags? Are files included that way assumed to
> > be PHP and don't require <?php and ?> tags? Something else?
> >
>
> This is my initial reaction to the RFC, it doesn't state the
> _specific_ difference between include/script. I understand what was
> proposed in the nophptags RFC, but I have to make an assumption for
> this RFC.
>
> My assumption is that you want script* to not require <?php to begin
> parsing. i.e. including /etc/passwd would be a parse failure.


I'm proposing *SCRIPT* only inclusion. This can be done by

 - allowing "<?php" only at to top of script
 - not allowing "?>" anywhere (We may allow at the end possibly)

Those who do not understand my point.
Please search by "PHP LFI" or "PHP file inclusion" for real life
security issues.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (31 messages)

• Yasuo OhgakiThu, 05 Feb 2015 01:53:10 +0000
  • Yasuo OhgakiThu, 05 Feb 2015 02:03:46 +0000Re: [RFC][DISCUSSION] script() and script_once()
    • reezeThu, 05 Feb 2015 04:38:13 +0000Re: Re: [RFC][DISCUSSION] script() and script_once()
      • Yasuo OhgakiThu, 05 Feb 2015 05:06:45 +0000
        • Adam HarveyThu, 05 Feb 2015 05:37:15 +0000
          • LeighThu, 05 Feb 2015 08:31:38 +0000
            • Yasuo OhgakiThu, 05 Feb 2015 10:20:53 +0000
              • Pierre JoyeThu, 05 Feb 2015 10:24:41 +0000
                • Yasuo OhgakiThu, 05 Feb 2015 10:47:05 +0000
                  • Pierre JoyeThu, 05 Feb 2015 11:49:20 +0000
                    • Yasuo OhgakiFri, 06 Feb 2015 01:25:43 +0000
                      • Pierre JoyeFri, 06 Feb 2015 01:39:06 +0000
                        • Yasuo OhgakiFri, 06 Feb 2015 02:07:39 +0000
                          • Pierre JoyeFri, 06 Feb 2015 02:13:13 +0000
                            • Yasuo OhgakiFri, 06 Feb 2015 03:33:29 +0000
                              • Pierre JoyeFri, 06 Feb 2015 03:40:55 +0000
                                • Yasuo OhgakiFri, 06 Feb 2015 04:08:46 +0000
                                  • Pierre JoyeFri, 06 Feb 2015 04:16:29 +0000
                                    • Yasuo OhgakiFri, 06 Feb 2015 04:35:11 +0000
                                      • Yasuo OhgakiFri, 06 Feb 2015 04:50:20 +0000
                                      • Pierre JoyeFri, 06 Feb 2015 04:52:44 +0000
                                        • Yasuo OhgakiFri, 06 Feb 2015 05:01:44 +0000
                                          • Lester CaineFri, 06 Feb 2015 08:30:15 +0000
                                            • Yasuo OhgakiFri, 06 Feb 2015 10:11:33 +0000
                • LeighThu, 05 Feb 2015 10:51:42 +0000
                  • Yasuo OhgakiThu, 05 Feb 2015 10:56:57 +0000
                • Yasuo OhgakiThu, 05 Feb 2015 10:52:04 +0000
        • François LaupretreThu, 05 Feb 2015 09:33:34 +0000RE: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once()
  • Pierre JoyeThu, 05 Feb 2015 06:05:40 +0000
    • Martin KeckeisThu, 05 Feb 2015 08:55:48 +0000
  • Michael WallnerThu, 05 Feb 2015 09:47:32 +0000