rfc:nophptags

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:nophptags [2014/02/12 04:20]
yohgaki
rfc:nophptags [2018/06/18 10:18] (current)
cmb This RFC appears to be inactive
Line 4: Line 4:
   * Date Modified: 2014-02-12   * Date Modified: 2014-02-12
   * Author: Moriyoshi Koizumi <​moriyoshi@php.net>,​ Yasuo Ohgaki <​yohgaki@ohgaki.net>​   * Author: Moriyoshi Koizumi <​moriyoshi@php.net>,​ Yasuo Ohgaki <​yohgaki@ohgaki.net>​
-  * Status: ​Under Discussion+  * Status: ​Inactive
   * First Published at: http://​wiki.php.net/​rfc/​nophptags   * First Published at: http://​wiki.php.net/​rfc/​nophptags
   * Other formats ..   * Other formats ..
Line 28: Line 28:
 ==Add flag that controls embed(template) feature of PHP== ==Add flag that controls embed(template) feature of PHP==
  
-Flag to control embed (template) mode for directly called scripts. (e.g. http://​some/​foo.php or php bar.php Directly executing scripts are script accessed by browser directly, script executed from CLI script.)+Flag to control embed (template) mode for directly called scripts. (e.g. http://​some/​foo.php or php bar.php Directly executing scripts are script accessed by browser directly, script executed from CLI binary.) 
 + 
 +NOTE: **PHP script that has a "<?​php"​ or like at the top of script works regardless of template_mode.**
  
 1) php.ini 1) php.ini
Line 44: Line 46:
 3) CLI 3) CLI
  
-  php -x foo.php ​ # template mode. "<?​php"​ is required. DEFAULT +  php -x foo.php ​ # template mode. "<?​php" ​or like is required. DEFAULT 
-  php -X foo.php ​ # non-template mode. "<?​php"​ is not required. +  php -X foo.php ​ # non-template mode. "<?​php" ​or like is not required.
  
-==New functions(language constructs) ​include ​program only script==+==Introduce ​functions(language constructs) ​includes ​program only script==
  
 4) New functions to include program only script. 4) New functions to include program only script.
Line 55: Line 56:
   script_once() - Includes script only file. Other than that. It behaves like include_once()   script_once() - Includes script only file. Other than that. It behaves like include_once()
  
-These are not affected by template_mode at all. These are always script only mode.+These are not affected by template_mode at all. These are always script only mode(template_mode=off). "<?​php"​ or like is only allowed at the top of a script.
  
 ==Existing functions include/​require program and template scripts== ==Existing functions include/​require program and template scripts==
Line 63: Line 64:
   include()/​include_once()/​require()/​require_once() does not change behavior.   include()/​include_once()/​require()/​require_once() does not change behavior.
  
-These are not affected by template_mode at all. These are always embedded mode.+These are not affected by template_mode at all. These are always embedded mode(template_mode=on).
  
 ==Behaviors== ==Behaviors==
Line 75: Line 76:
     * Ignore close tags (''?>''​ and ''​%>''​) completely. Raising error is preferred, but ignore them for better compatibility. i.e. There are many scripts that have ''?>''​ at the end even for program only scripts.     * Ignore close tags (''?>''​ and ''​%>''​) completely. Raising error is preferred, but ignore them for better compatibility. i.e. There are many scripts that have ''?>''​ at the end even for program only scripts.
  
-  * When template_mode=On+  * When template_mode=on
     * Exactly the same as now.     * Exactly the same as now.
  
 ==== Future Scope ==== ==== Future Scope ====
  
-  * script()/​script_once() allows "<?​php"​ at the top of script. This is only for easier transition. It may be removed for PHP 7 or later. It may apply to directly called scripts. Security sensitive information should not be written into script directly. Good deployment tool and code should be able to use environment variables for these. +  * script()/​script_once() allows "<?​php" ​or like at the top of script. This is only for easier transition. It may be removed for PHP 7 or later. It may apply to directly called scripts. Security sensitive information should not be written into script directly. Good deployment tool and code should be able to use environment variables for these. 
-  * Use of environment variable is difficult for self contained applications unless there is standard deployment tool. Creating general purpose deployment tool is hard since there are many web servers to support and configuration differs even when web server is the same. If there is no standard deployment tool, we may keep allow to have "<?​php"​ at the top of scripts.+  * Use of environment variable is difficult for self contained applications unless there is standard deployment tool. Creating general purpose deployment tool is hard since there are many web servers to support and configuration differs even when web server is the same. If there is no standard deployment tool, we may keep allowing ​to have "<?​php" ​or like at the top of scripts.
  
 ==== Compatibility ==== ==== Compatibility ====
  
   * Fully compatible with current code. i.e. include()/​require() works as it is now regardless of template mode or not. No compatibility issue at all.   * Fully compatible with current code. i.e. include()/​require() works as it is now regardless of template mode or not. No compatibility issue at all.
-  * Adopting RFC could be lines of change. (Excluding script()/​script_once()) +  * Adopting RFC could be lines of change. (Excluding script()/​script_once() ​Open Issue
-  * Introduce script()/​script_once() for better compatibility and explicit script inclusion. i.e. script()/​script_once() always execute script, no embedding mode at all.+  * Introduce script()/​script_once() for explicit script inclusion. i.e. script()/​script_once() always execute script, no embedding mode at all.
   * New code can be fully compatible with OLD systems. i.e. Users may write script() function wraps include().   * New code can be fully compatible with OLD systems. i.e. Users may write script() function wraps include().
  
 ==== Possible issues ==== ==== Possible issues ====
  
-  * NEW code that omits PHP open tags may be disclosed. For maximum security, user may use "<?​php"​ at be beginning of PHP scripts contains sensitive data. (e.g. password/​API key/etc)+  * New code that omits PHP open tags may be disclosed. For maximum security, user may use "<?​php"​ at be beginning of PHP scripts contains sensitive data. (e.g. password/​API key/etc. Simple configuration/​code error is obvious)
  
 ==== Benefits and Tips==== ==== Benefits and Tips====
Line 101: Line 102:
     * [[https://​wiki.php.net/​rfc/​source_files_without_opening_tag|Related RFC]] does not address this issue.     * [[https://​wiki.php.net/​rfc/​source_files_without_opening_tag|Related RFC]] does not address this issue.
     * People do make mistakes with embed everything by default. Some recent LFI issues.     * People do make mistakes with embed everything by default. Some recent LFI issues.
-      * [[http://www.exploit-db.com/exploits/18738/|LFI vuln V-CMS]]+      * [[http://packetstormsecurity.com/files/96996/Joomla-XMovie-1.0-Local-File-Inclusion.html|Joomla XMovie 1.0 Local File Inclusion]]
       * [[http://​seclists.org/​bugtraq/​2012/​Apr/​53|CitrusDB 2.4.1 - LFI/SQLi Vulnerability]]       * [[http://​seclists.org/​bugtraq/​2012/​Apr/​53|CitrusDB 2.4.1 - LFI/SQLi Vulnerability]]
       * [[http://​packetstormsecurity.org/​files/​111075/​vtiger-lfi.txt|Vtiger 5.1.0 Local File Inclusion]]       * [[http://​packetstormsecurity.org/​files/​111075/​vtiger-lfi.txt|Vtiger 5.1.0 Local File Inclusion]]
       * [[http://​packetstormsecurity.org/​files/​110906/​onefilecms-lfi.txt|OneFileCMS 1.1.5 Local File Inclusion]]       * [[http://​packetstormsecurity.org/​files/​110906/​onefilecms-lfi.txt|OneFileCMS 1.1.5 Local File Inclusion]]
-      *and many more. +      ​* [[http://​packetstormsecurity.com/​files/​125039/​Shadowbox-Local-File-Inclusion.html|Shadowbox Local File Inclusion]] 
 +      * [[http://​packetstormsecurity.com/​files/​124589/​xBoard-5.0-5.5-6.0-Local-File-Inclusion.html|xBoard 5.0 / 5.5 / 6.0 Local File Inclusion]] 
 +      * [[http://​packetstormsecurity.com/​files/​124321/​Zimbra-Local-File-Inclusion.html|Zimbra Local File Inclusion]] 
 +      * [[http://​packetstormsecurity.com/​files/​123192/​Monsta-FTP-1.3-Local-File-Inclusion.html|Monsta FTP 1.3 Local File Inclusion]] 
 +      * [[http://​packetstormsecurity.com/​files/​120921/​AContent-1.3-Local-File-Inclusion.html|AContent 1.3 Local File Inclusion]] 
 +      * [[http://​packetstormsecurity.com/​files/​121347/​Fork-CMS-Local-File-Inclusion.html|Fork CMS Local File Inclusion]] 
 +      ​*and [[http://​packetstormsecurity.com/​search/?​q=LFI|many more]]
     * [[nophptags#​why_this_is_better_than_now|Why this is better than now]]     * [[nophptags#​why_this_is_better_than_now|Why this is better than now]]
   * Transition is very easy, compatible for both forward/​backward not like the related RFC.   * Transition is very easy, compatible for both forward/​backward not like the related RFC.
Line 137: Line 144:
  
  
-For better security, program only script ​is better to use script()/​script_once() as it does not affected by template_mode at all, and it always assume program is script only. To be compatible with older PHP, user has to define their own script()/​script_once().+For better security, program only script ​should ​use script()/​script_once() as it does not allow embedded mode. To be compatible with older PHP, user has to define their own script()/​script_once().
  
 <code php> <code php>
Line 170: Line 177:
 </​doodle>​ </​doodle>​
  
-Directly called script cannot use script()/​script_once(). Remove inconsistency between directly ​called ​script and indirectly ​called ​script.+Directly called script cannot use script()/​script_once(). Remove inconsistency between directly ​executed ​script and indirectly ​executed ​script.
  
 <doodle title="​Allow to omit script open tag for direct script execution"​ auth="​yohgaki"​ voteType="​single"​ closed="​true">​ <doodle title="​Allow to omit script open tag for direct script execution"​ auth="​yohgaki"​ voteType="​single"​ closed="​true">​
rfc/nophptags.1392178823.txt.gz · Last modified: 2017/09/22 13:28 (external edit)