As it won't be accepted into the main tree, if it were possible to write your patch as a self-contained PHP extension, then you could develop it in PECL. I haven't taken a look at the code to see if that's possible.
Andi


At 10:09 AM 4/8/2004 +0200, inodes wrote:
It is obvious my proposal is considered as a very bad idea to most of view
;-)

But my goal is not to ask for a definitive patch for PHP, so I probably made
a mistake by posting the initial message in this mailing list...

I just offer this patch for admins who manage applications developped by
others (subcontractors for example).

There are plenty of badly coded PHP apps and nodoby has time to fix them, so
if administrators want to minimize security risks, they can:

1-audit & rewrite the code
2-strengthen the underlying engine (aka PHP)

My patch is just a simple way to reenforce the security without changing any
line of code. Of course, there is a risk of loosing sessions if legitimate
users have their IP address dynamically changed. And of course, IP address
checking does not protect users behind a proxy or a NAT gateway, against
their "colleagues".

But sometimes, the IP checking can be sufficient and won't produce any
side-effect. Let the admins try and decide if it fits their apps.

Furthermore, I added other controls based on the HTTP headers sent by the
browser (this also reduces the risk of session fixation), and the IP address
test can take the IP classes (A,B and C) in account.

Official patches or changes required by users (like me) *must* perfectly
solve a problem,
and this patch is far from perfect, so...

Jerome

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to