As discussed on the mailinglists and on my blog. When running multiple sites on one server, maintained or adminstered by various people, then one really wants to disable all use of php input. Not only by permissions, but really.
Because sticking stuff in permissions means that you cannot hand out "administer users" "administer permissions" etc. in practice, the same as disallowing about 30% of all administration functions. That is bad.
Hence I stripped all the php stuff from filter.module and stuck it in a phh input module. If you remove that module, you can finally go to sleep again, without worrying about one client 0wnz0r1ng your server the next morning. Or for that matter, one funny client stealing all stuff from the other client (by including his settings.php).
Allowing PHP trough the web is bad. Always. IMO. I want to be able to run drupal without any php input at all. This patch is the first step towards that.
Note that i do not want to *remove* the option, for it is usefull (unsafe, but usefull) for a lot of people.
Just that I want to be able to sleep again :)
PS: setting this to critical is intentional; Setting it to code needs work too. For IMO this is a critical post 4.7 task. One that should be dealt with immediately after the release. (for backportability, most of all)
|remove_php_filter.patch||7.89 KB||Ignored: Check issue status.||None||None|