Stefan Esser wrote:
This is no legal unix path, because index.php is a file and not a
Oops, missed that part of the path, just looked at the .. :-)
And to understand the security impact:
include "./foo/bar/template_".$userinput;
... which I'd consider bad practice anyway but that's another story :
Hello Marcus,
On Thu, 22 Jul 2004 20:47:31 +0200, "Marcus Boerger" <[EMAIL PROTECTED]>
said:
> Hello Kamesh,
>
> can you adapt you test files to ouput a single line before the actual
> script starts by using 'echo "*\n";' for example and see if you get
> a blank line in the output then?
>
I did
Christian Schneider wrote:
example: include "./foo/bar/index.php/../../../../../../etc/passwd";
This is a completely legal unix path as .. in / is / again. And from a
security point of view I'd say the only thing you gain by disallowing
this is that the number of .. in the path have to be gues
Stefan Esser wrote:
Realpath is not only slow, it is also "dangerous" on some systems like
linux where it also works on paths that are not really existing.
example: include "./foo/bar/index.php/../../../../../../etc/passwd";
This is a completely legal unix path as .. in / is / again. And from a
Hi,
I'd love to see a realpath() replacement function which makes use of the
stat cache for partial paths as well. Chances are that on a busy ISP
server, for example, you will have thousands of scripts and include files
served up from the same base path and you are going to be statting your
wa
On Sat, 24 Jul 2004, Andi Gutmans wrote:
> Has anyone had a chance to try, test and benchmark the realpath() patch I
> send to the list?
I had a look the other day, but here is a more detailed look at the system
calls involved in a php5 request. I have stripped out most of the stuff
we can't d
Hi Andrey,
Mail me a patch and I'll fix it.
Regards
--jm
On Sat, 24 Jul 2004 11:30:35 +, Andrey Hristov <[EMAIL PROTECTED]> wrote:
> If someone has time and karma it will be nice if anoncvs.php is fixed
> to add instruction how to checkout 5_0 branch and change the instructions
> about PHP
John Lim wrote:
"Andrey Hristov" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
G usually comes from Globals and I have seen BG in ext/standard
so maybe BG means Basic functions Globals.
andrey
John Lim wrote:
Andi,
Just a few quick questions. What is the BG macro for? Eg.
if (zend_c
John Lim wrote:
"Andrey Hristov" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
G usually comes from Globals and I have seen BG in ext/standard
so maybe BG means Basic functions Globals.
andrey
John Lim wrote:
Andi,
Just a few quick questions. What is the BG macro for? Eg.
if (zend_c
"Andrey Hristov" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> G usually comes from Globals and I have seen BG in ext/standard
> so maybe BG means Basic functions Globals.
>
> andrey
>
> John Lim wrote:
> > Andi,
> >
> > Just a few quick questions. What is the BG macro for? Eg.
> >
If someone has time and karma it will be nice if anoncvs.php is fixed
to add instruction how to checkout 5_0 branch and change the instructions
about PHP 5 to PHP 5.1.
Thanks,
andrey
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
G usually comes from Globals and I have seen BG in ext/standard
so maybe BG means Basic functions Globals.
andrey
John Lim wrote:
Andi,
Just a few quick questions. What is the BG macro for? Eg.
if (zend_call_function(&fci, &BG(fci_cache) TSRMLS_CC) == SUCCESS)
Secondly, I think i need to initial
Andi,
Just a few quick questions. What is the BG macro for? Eg.
if (zend_call_function(&fci, &BG(fci_cache) TSRMLS_CC) == SUCCESS)
Secondly, I think i need to initialize the fci_cache structure first with
fci_cache = empty_fcall_info_cache;
Can I do so in my PHP_MINIT_FUNCTION? Thx.
"Andi
On Fri, 23 Jul 2004 10:25:27 -0700
Andi Gutmans <[EMAIL PROTECTED]> wrote:
> This should probably be applied but what if people are using them
> already? Any idea when these were introduced?
Sorry, no idea, but I doubt somebody could use it, because mail.c's typo
is "incompatible" with php.ini's
Thanks to everyone. I will have a look.
I'm porting the adodb extension to php5, so i thought i might as well ask
this question that's been bugging me for some time.
"Andi Gutmans" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> php5/Zend/zend_execute_API.c.
> It's quite simple. I
Andi Gutmans wrote:
Hi George,
Although a bit long, your email was an interesting read.
Thanks.
I am not quite sure how we should approach this problem as PHP's FP has
gone through a zillion patches in the past few years.
Yeahh. Yet another partial solution can do as much harm as good. It
nee
Hey,
It's a bit quiet here lately :)
Has anyone had a chance to try, test and benchmark the realpath() patch I
send to the list?
Andi
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
17 matches
Mail list logo
