Hi!
This is bad. And there is no point arguing this fact.
Yes, this was bad. Agreed. It was a mistake. Mistakes happen. We fixed it and hopefully learned from it.
These are all basic prinicples of security mitigations. Why is there a need to write up RFC about these things. They are widely accepted by other software vendors/products.
Because there's a difference between principles and applying them in a particular manner in particular patch to particular software. The responsibility of core PHP developers it to evaluate the specific solutions and patches and decide if they are good or not. Regardless of how well or badly it was done in specific cases in the past, this is what should be done. If the author of the patch doesn't want to do this - well, ok, so he would have his patch and we probably won't, unless we find other ways to do it - maybe even the worst way possible, by having security problem illuminate the need - but I see no way around it.
-- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
