Hi Matthew,
On Sat, Feb 7, 2015 at 5:29 AM, Matthew Leverton <lever...@gmail.com> wrote:
> On Fri, Feb 6, 2015 at 1:02 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> >
> > Basically, it's administrative solution. Application should set these
> > setting
> > or administrator should.
> >
> > Library shouldn't touch the setting, otherwise they hit their own foot.
> >
> If this was a PHP_INI_PERDIR setting, then I wouldn't really mind as much.
>
> But as PHP_INI_USER, I don't like it at all.
How about allow to set the ini only once during execution?
To all, please give some feedback. There is option 5(Leave as it is), too!
I would like to know your preference. Multiple choices are OK ( +1 / -1 )
Comments are appreciated.
1. script_path INI. (Defines script path. Almost perfect solution with
upload_path INI) [1]
2. upload_path INI. (Exception path in script_path. Protection against
require('../../upload/evil');) [1]
3. require_embed INI (Enable/disable require()/require_once() embed(script
only) mode. Temp INI) [2]
4. script()/script_once() [3] (No INI switch. Read only scripts. The same
as require()/require_once(), require_embed=On )
5. Leave as it is now (No protection against file inclusion & execution
attacks.)
[1] script_path defines script directory, upload_path defines exceptions
under script_path.
[2] require_embed is not described in current RFC. It's INI for
enable/disable script only mode.
require_embed should be REMOVED few years later.
[3] script/script_once is not described in current RFC. It read/execute
script only file.
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
