rfc:nophptags

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:nophptags [2014/02/12 04:33]
yohgaki
rfc:nophptags [2018/06/18 10:18] (current)
cmb This RFC appears to be inactive
Line 4: Line 4:
   * Date Modified: 2014-02-12   * Date Modified: 2014-02-12
   * Author: Moriyoshi Koizumi <​moriyoshi@php.net>,​ Yasuo Ohgaki <​yohgaki@ohgaki.net>​   * Author: Moriyoshi Koizumi <​moriyoshi@php.net>,​ Yasuo Ohgaki <​yohgaki@ohgaki.net>​
-  * Status: ​Under Discussion+  * Status: ​Inactive
   * First Published at: http://​wiki.php.net/​rfc/​nophptags   * First Published at: http://​wiki.php.net/​rfc/​nophptags
   * Other formats ..   * Other formats ..
Line 28: Line 28:
 ==Add flag that controls embed(template) feature of PHP== ==Add flag that controls embed(template) feature of PHP==
  
-Flag to control embed (template) mode for directly called scripts. (e.g. http://​some/​foo.php or php bar.php Directly executing scripts are script accessed by browser directly, script executed from CLI script.)+Flag to control embed (template) mode for directly called scripts. (e.g. http://​some/​foo.php or php bar.php Directly executing scripts are script accessed by browser directly, script executed from CLI binary.)
  
 NOTE: **PHP script that has a "<?​php"​ or like at the top of script works regardless of template_mode.** NOTE: **PHP script that has a "<?​php"​ or like at the top of script works regardless of template_mode.**
Line 56: Line 56:
   script_once() - Includes script only file. Other than that. It behaves like include_once()   script_once() - Includes script only file. Other than that. It behaves like include_once()
  
-These are not affected by template_mode at all. These are always script only mode.+These are not affected by template_mode at all. These are always script only mode(template_mode=off). "<?​php"​ or like is only allowed at the top of a script.
  
 ==Existing functions include/​require program and template scripts== ==Existing functions include/​require program and template scripts==
Line 64: Line 64:
   include()/​include_once()/​require()/​require_once() does not change behavior.   include()/​include_once()/​require()/​require_once() does not change behavior.
  
-These are not affected by template_mode at all. These are always embedded mode.+These are not affected by template_mode at all. These are always embedded mode(template_mode=on).
  
 ==Behaviors== ==Behaviors==
Line 76: Line 76:
     * Ignore close tags (''?>''​ and ''​%>''​) completely. Raising error is preferred, but ignore them for better compatibility. i.e. There are many scripts that have ''?>''​ at the end even for program only scripts.     * Ignore close tags (''?>''​ and ''​%>''​) completely. Raising error is preferred, but ignore them for better compatibility. i.e. There are many scripts that have ''?>''​ at the end even for program only scripts.
  
-  * When template_mode=On+  * When template_mode=on
     * Exactly the same as now.     * Exactly the same as now.
  
Line 102: Line 102:
     * [[https://​wiki.php.net/​rfc/​source_files_without_opening_tag|Related RFC]] does not address this issue.     * [[https://​wiki.php.net/​rfc/​source_files_without_opening_tag|Related RFC]] does not address this issue.
     * People do make mistakes with embed everything by default. Some recent LFI issues.     * People do make mistakes with embed everything by default. Some recent LFI issues.
-      * [[http://www.exploit-db.com/exploits/18738/|LFI vuln V-CMS]]+      * [[http://packetstormsecurity.com/files/96996/Joomla-XMovie-1.0-Local-File-Inclusion.html|Joomla XMovie 1.0 Local File Inclusion]]
       * [[http://​seclists.org/​bugtraq/​2012/​Apr/​53|CitrusDB 2.4.1 - LFI/SQLi Vulnerability]]       * [[http://​seclists.org/​bugtraq/​2012/​Apr/​53|CitrusDB 2.4.1 - LFI/SQLi Vulnerability]]
       * [[http://​packetstormsecurity.org/​files/​111075/​vtiger-lfi.txt|Vtiger 5.1.0 Local File Inclusion]]       * [[http://​packetstormsecurity.org/​files/​111075/​vtiger-lfi.txt|Vtiger 5.1.0 Local File Inclusion]]
       * [[http://​packetstormsecurity.org/​files/​110906/​onefilecms-lfi.txt|OneFileCMS 1.1.5 Local File Inclusion]]       * [[http://​packetstormsecurity.org/​files/​110906/​onefilecms-lfi.txt|OneFileCMS 1.1.5 Local File Inclusion]]
-      *and many more. +      ​* [[http://​packetstormsecurity.com/​files/​125039/​Shadowbox-Local-File-Inclusion.html|Shadowbox Local File Inclusion]] 
 +      * [[http://​packetstormsecurity.com/​files/​124589/​xBoard-5.0-5.5-6.0-Local-File-Inclusion.html|xBoard 5.0 / 5.5 / 6.0 Local File Inclusion]] 
 +      * [[http://​packetstormsecurity.com/​files/​124321/​Zimbra-Local-File-Inclusion.html|Zimbra Local File Inclusion]] 
 +      * [[http://​packetstormsecurity.com/​files/​123192/​Monsta-FTP-1.3-Local-File-Inclusion.html|Monsta FTP 1.3 Local File Inclusion]] 
 +      * [[http://​packetstormsecurity.com/​files/​120921/​AContent-1.3-Local-File-Inclusion.html|AContent 1.3 Local File Inclusion]] 
 +      * [[http://​packetstormsecurity.com/​files/​121347/​Fork-CMS-Local-File-Inclusion.html|Fork CMS Local File Inclusion]] 
 +      ​*and [[http://​packetstormsecurity.com/​search/?​q=LFI|many more]]
     * [[nophptags#​why_this_is_better_than_now|Why this is better than now]]     * [[nophptags#​why_this_is_better_than_now|Why this is better than now]]
   * Transition is very easy, compatible for both forward/​backward not like the related RFC.   * Transition is very easy, compatible for both forward/​backward not like the related RFC.
Line 138: Line 144:
  
  
-For better security, program only script ​is better to use script()/​script_once() as it does not affected by template_mode at all, and it always assume program is script only. To be compatible with older PHP, user has to define their own script()/​script_once().+For better security, program only script ​should ​use script()/​script_once() as it does not allow embedded mode. To be compatible with older PHP, user has to define their own script()/​script_once().
  
 <code php> <code php>
Line 171: Line 177:
 </​doodle>​ </​doodle>​
  
-Directly called script cannot use script()/​script_once(). Remove inconsistency between directly ​called ​script and indirectly ​called ​script.+Directly called script cannot use script()/​script_once(). Remove inconsistency between directly ​executed ​script and indirectly ​executed ​script.
  
 <doodle title="​Allow to omit script open tag for direct script execution"​ auth="​yohgaki"​ voteType="​single"​ closed="​true">​ <doodle title="​Allow to omit script open tag for direct script execution"​ auth="​yohgaki"​ voteType="​single"​ closed="​true">​
rfc/nophptags.1392179580.txt.gz · Last modified: 2017/09/22 13:28 (external edit)