Hi Patrick, On Sat, May 16, 2015 at 10:32 PM, Patrick Schaaf <p...@bof.de> wrote:
> None of this whitelisting-by-filename would be practical for our setup. > Have a look at what Smarty does with compiled templates and cached pages: > PHP includes generated on the fly, with filenames that are not known in > advance. For such usage a whitelisting per realpath prefix, would be the > only reasonable approach. I'm aware of this, too. Thank you for bringing this issue up. Options are - Have some exceptions for dynamically created scripts - Libraries should have precompile feature. e.g. precompile templates for production. - Users/libraries should create intelligent white list for dynamically created scripts. (The file to be compiled does not have to exist at startup) I prefer 3rd option. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
