Hi all, As some of you know that I'm trying to to eliminate script inclusion attack. I come up with another idea which may have consensus.
PHP compiler is fast enough for almost all apps without script preloading. However, large sites take advantage of opcache_compile_file() to maximize the performance/response. How about have a preloaded scripts configuration? In addition, how about have a option that allows preloaded script only? This way, PHP will execute only scripts listed in the "whitelist". This is perfect solution for eliminating php script inclusion attacks. In addition, users don't have to preload script one by one using opcache_compile_file(). These options may be PHP/Zend or opcache options. I hope everyone like the idea. Any objections and/or comments? Regards, P.S. It's for PHP 7.1, of course. -- Yasuo Ohgaki yohg...@ohgaki.net
