Hi Stas, On Thu, Feb 12, 2015 at 3:21 AM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> > I'm not trying to be perfect, but I would like to make PHP as secure as > > other > > languages from script inclusion attacks. It's too easy currently... > > PHP is already as secure as the other languages. If you have code in > Python that loads arbitrary file and executes it, you could upload > Python file and execute it. If you have code in Ruby that loads > arbitrary file and executes it, you could upload Ruby file and execute > it. If you have code in C that... you get the idea. Same with PHP. Python loads script like import foo where foo is foo.py. Ruby loads script like require 'foo' where foo is foo.rb. This is the origin of the difference. We may have something like this. We may check registered filename extension(s) or may allow to omit registered extension(s). We may take some benchmarks and decide, since these 2 are the same basically. Faster is better, but I guess "checking" is faster. What do you think? Comments are appreciated. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
