On Tue, Apr 25, 2017 at 5:15 AM, Anatol Belski <a...@php.net> wrote: > I've applied the patch you've suggested in bug #74429, so it's going to be > included in RCs. Given the initial security issue is not impacted, BC can be > kept. > I thought about the security implications of that quick fix and while it doesn't impact the specifics of the bug that led to the tightening, a very slightly modified version would still work, e.g.:
$userSuppliedAddress = '1.2.3.4:8000/' $fp = fsockopen($userSuppliedAddress, 80); // Will connect to port 8000, not the hard-coded 80. So I'm not actually keen on that as a "fix" as it still leaves the vulnerability of overloading address *and* causes things like mysqli_connect() to break when provided with a port in the address. Double-whammy bad. -Sara -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
