On 25/02/2015 22:46, Stanislav Malyshev wrote:
2. I think this RFC provides false sense of security for people that create vulnerable code and lets them think it's OK to have variable includes without adequate safety, since they are "protected" by these changes.
People that are clueless already do not validate anything and are *NOT* protected by this RFC. People that know what they are doing probably do not need this patch. So the way I see it it's a win for random crappy code out there, and a noop at worst for the others.
3. I think it causes significant BC break which might be warranted in case it provides major improvement in security, but IMO in the light of the above it does not provide even minor one.
A way to mitigate this might be to change the default to include a few more common extensions like phtml, inc, or whatever. As those are all commonly associated with PHP and offer no good reason to be allowed in user uploads, I guess it's safe.
Cheers -- Jordi Boggiano @seldaek - http://nelm.io/jordi -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
