Hi Pavel, On Tue, Feb 10, 2015 at 7:06 PM, Pavel Kouřil <pajou...@gmail.com> wrote:
> IMHO the real solution to this problem is to educate the programmers > how to write safer applications, not by ini settings. > We have been tried to educate users already and introduced some mitigations e.g. allow_url_include, open_basedir. However, enough time is passed to prove that wasn't enough, isn't it? PHP (many and these are _only_ few of them in the wild) http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=PHP&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_exploit_text=inclusion&filter_port=0&filter_osvdb=&filter_cve= PERL (0 result) http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=PERL&filter_author=inclusion&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve= Rails (0 result) http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=Rails&filter_exploit_text=inclusion&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve= Python (0 result) http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=Python&filter_exploit_text=inclusion&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve= JSP (1 result - This is famous) http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=JSP&filter_exploit_text=inclusion&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve= The picture is clear. I value education as one of the most important security measure indeed. However, education is not perfect. If there is effective counter measure, it is better to be adopted. We can write web apps by PHP, not only because it's faster to write, but easier to write secure code. We removed "script embedding" from regex functions, why not include? My new proposal is simple and does not require performance penalty. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
