Hi all, I wrote patch and made adjustment in the RFC https://wiki.php.net/rfc/script_only_include https://github.com/php/php-src/pull/1111 Where to check filename extension is subject to be changed. At first, I thought implementing this as PHP code is good, but I've changed my mind. It seems better to be done in Zend code. Opinions are appreciated.
This RFC aims to make PHP as secure as other languages with respect to "script inclusion" attacks. Note: File inclusion is not a scope of this RFC. INI Changes: - "php_script" -> "zend.script_extensions" - "Allow all files": "*" -> NULL or "" Open Issues: - Error type - Is it OK to raise E_ERROR/E_RECOVERABLE_ERROR in zend_language_scanner.c? - Vote type - 50%+1 or 2/3 If there is anyone who would like to vote "no" for this RFC, I would like to know the reason and try to address/resolve issue you have. Thank you. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net