Hi Leigh, On Fri, Feb 6, 2015 at 9:53 PM, Leigh <lei...@gmail.com> wrote:
> On 6 February 2015 at 12:02, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > Hi all, > > > > This RFC was renamed from "script() and script_once()". > > Original proposal had defect. It wasn't perfect. > > > > This RFC proposes "script_path" INI directive to eliminate > > file/script inclusion at all via require(). > > > > https://wiki.php.net/rfc/script_path > > Couple of fixes and questions > > > Introduce script_path and download_path > > Introduce script_path INI that specify directories that execution is > allowed and upload_path > > Change download_path to upload_path. > Yes, I'll fix it. > > > PHP script detection by file content is **NOT** impossible > > Therefore, PHP script detection by file content is impossible. > > I assume that you want to say impossible in both places? > Yes > > > include()/require() is source of file/script inclusion for a long time > > Only require()/require_once() is affected. > > Is this on purpose? Is there a reason that include is not affected? > include()/require() supports URI include. This is the reason why. > > I think this is a better solution than script{,_once}. I definitely > prefer it over the previous RFC I thought script()/script_once() is enough, but it's not. There are modules uses custom script loaders, including phar. Those loader may do whatever they want, therefore detecting/deciding file type (i.e. PHP script) by file content is wrong. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
