Hi all, On Tue, Feb 10, 2015 at 9:52 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Some of you are tired with this topic, but please take a look the RFC > > [RFC] Script only includes - this is 3rd version. > https://wiki.php.net/rfc/script_only_include > > Please let me know what you like or dislike. > This proposal has defect. I was excluding old proposals and it turned out old proposal was better. Thank you Stas. There was proposal that limit script execution only for certain filename extension(s). Currently, PHP has text script and phar script loader. If we limit script filenames, then all users has to do is checking filename extensions. We have null byte injection protection for filename already. This would be the simplest and works well against script inclusion. Comments are appreciated. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
