Martin Pitt said: > > I fixed a pretty old vulnerability in PHP4's cURL module, see > > http://www.securitytracker.com/alerts/2004/Oct/1011984.html > > for details. The Ubuntu patch is at > > http://patches.ubuntu.com/patches/php4.curl-open_basedir.diff
Have you seen the thread at [1]?... I haven't checked yet, but does your patch fully address the different ways you can construct a "file://" URI (with and without hostname, etc?) > The current upstream CVS HEAD is still not fixed, could you please > pass this to upstream? According to the above thread, upstream will never accept this, as they're stubborn twits. (Well, the stubborn twits bit is my own estimate), but I'll be happy to add a patch permanently to the Debian sources of both php4 and php5, if we can make it as clean, simple, and foolproof as possible. I can attempt to ping upstream with said patch and convince someone to commit it once it meets the above criteria (which it may already, I'll check your patch later today -- thanks). ... Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
