On Jul 31, 2015 2:12 AM, "Matt Wilmas" wrote:
>
> Hi Dmitry, Bogdan,
>
>
> - Original Message -
> From: "Dmitry Stogov"
> Sent: Thursday, July 30, 2015
>
>> Hi Bogdan,
>>
>> On Wed, Jul 29, 2015 at 5:22 PM, Andone, Bogdan
>> wrote:
>>
>>> Hi Guys,
>>>
>>> My name is Bogdan Andone and I wo
Hi Dmitry, Bogdan,
- Original Message -
From: "Dmitry Stogov"
Sent: Thursday, July 30, 2015
Hi Bogdan,
On Wed, Jul 29, 2015 at 5:22 PM, Andone, Bogdan
wrote:
Hi Guys,
My name is Bogdan Andone and I work for Intel in the area of SW
performance analysis and optimizations.
We would li
On 30/07/2015 11:12 pm, Niklas Keller wrote:
2015-07-30 14:42 GMT+02:00 Andone, Bogdan :
-Original Message-
From: Niklas Keller [mailto:m...@kelunik.com]
Sent: Thursday, July 30, 2015 1:47 PM
To: Pierre Joye
Cc: lp_benchmark_robot; PHP internals; l...@lists.01.org
Subject: Re: [PHP-DE
On 30 July 2015 19:25:47 BST, Anthony Ferrara wrote:
> I thought SOAP was dead already.
Tell that to the "Enterprises" who drag and drop in Visual Studio to create
useless wrappers around hand-written XML because that's their definition of
"web service". :P
I don't fully understand where this
On 30 July 2015 21:35:01 BST, Rob Richards wrote:
>On 7/30/15 10:30 AM, Rowan Collins wrote:
>> Rob Richards wrote on 30/07/2015 14:12:
>>> If you are already working with a trusted document then you should
>>> safely be able to disable the entity loader. If you aren't then
>>> wouldn't you want
On Jul 30, 2015 2:27 PM, "Niklas Keller" wrote:
> I prefer Exception, too, because it's I/O related.
>
> @Scott: You can open votes on everything, doesn't matter, just create a
page with a vote.
> I just don't know where to put it in the wiki, because it's not a RFC.
>
> Regards, Niklas
I'm not s
On 7/30/15 2:57 PM, Stanislav Malyshev wrote:
Hi!
The problem here is that imagine the following:
I think if we separate the loading the initial file (i.e., staring point
of the XML parser) and the loading the entities from that file (which is
not happening right now) we'd solve many BC proble
On 7/30/15 10:30 AM, Rowan Collins wrote:
Rob Richards wrote on 30/07/2015 14:12:
If you are already working with a trusted document then you should
safely be able to disable the entity loader. If you aren't then
wouldn't you want to do some sort of checking (especially if you dont
have an XML
Stas,
On Thu, Jul 30, 2015 at 2:57 PM, Stanislav Malyshev wrote:
> Hi!
>
>> The problem here is that imagine the following:
>
> I think if we separate the loading the initial file (i.e., staring point
> of the XML parser) and the loading the entities from that file (which is
> not happening right
Hi!
> The problem here is that imagine the following:
I think if we separate the loading the initial file (i.e., staring point
of the XML parser) and the loading the entities from that file (which is
not happening right now) we'd solve many BC problems. Not sure about
SOAP, but many others for su
2015-07-30 19:12 GMT+02:00 Scott Arciszewski :
> On Mon, Jul 27, 2015 at 2:03 PM, Anthony Ferrara
> wrote:
> > Rowan,
> >
> >> This is certainly some people's concern, but Anatol has raised a subtly
> >> different consistency-related point, which is this:
> >>
> >> Since we have no policy for wha
Jake,
On Thu, Jul 30, 2015 at 1:06 PM, Jake wrote:
> Hello
>
> Disabling this will (at least for me) cause SOAP related stuff to stop
> working as it was expected to work before!
The problem here is that imagine the following:
http://example.com/evil1.dtd";>
and then evil1.dtd:
http://ex
On Mon, Jul 27, 2015 at 2:03 PM, Anthony Ferrara wrote:
> Rowan,
>
>> This is certainly some people's concern, but Anatol has raised a subtly
>> different consistency-related point, which is this:
>>
>> Since we have no policy for what kinds of Throwable should be emitted in
>> what circumstance,
Hello
Disabling this will (at least for me) cause SOAP related stuff to stop
working as it was expected to work before!
https://www.some.tld/soap.php?wsdl";;
$soap = SoapServer($wsdl, array());
wsdl:
http://schemas.xmlsoap.org/wsdl/http/";
xmlns:soap="http://schemas.xmlsoap.org/wsdl/so
Anatol Belski wrote:
>> -Original Message-
>> From: Pierre Joye [mailto:pierre@gmail.com]
>> Sent: Wednesday, July 29, 2015 11:01 PM
>> To: Anthony Ferrara
>> Cc: PHP internals
>> Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default
>>
>> On Jul 29, 2015 11:38 PM,
Even if some of those people replying haven't read or don't understand what
you are suggesting, it is not a good tactic to assume that and reply with
"read the RFC".
There is a good chance the majority of the people replying have read the
RFC, and found reason to be negative, reserved, cautious, o
On 30 Jul 2015, at 16:24, Scott Arciszewski wrote:
> Just because the solution is known doesn't mean it's known to everyone.
Yes, and if you could just read what I was suggesting, rather than looking at
the subject of this email (and the suggestion by Matt), then you will notice
this is wha
On 30 Jul 2015, at 16:26, Ronald Chmara wrote:
> Perhaps I have missed something in this discussion
I think you have... my email from a couple of weeks ago was ignored... so I
replied to Matt's suggestion (which is similar, but different).
Please, just spend a few minutes reading my suggestio
Perhaps I have missed something in this discussion where such a change to
PHP does not break every single application that is supposed to pass raw,
user submitted, SQL *without* getting prepared/nerfed, or warned about, by
intentional application design.
If we're just limiting the nerfing for subm
On Thu, Jul 30, 2015 at 11:20 AM, Craig Francis
wrote:
> On 30 Jul 2015, at 14:43, Scott Arciszewski wrote:
>
>> This may have been true at one point in time, but my own experience
>> and the statistics collected by Dan Kaminsky of White Hat Security
>> indicates that Cross-Site Scripting vulnera
On 30 Jul 2015, at 14:43, Scott Arciszewski wrote:
> This may have been true at one point in time, but my own experience
> and the statistics collected by Dan Kaminsky of White Hat Security
> indicates that Cross-Site Scripting vulnerabilities are much more
> prevalent in 2015 than SQL Injection,
On 30 Jul 2015, at 13:47, Xinchen Hui wrote:
> anyway, with PHP7's new zend_string, and string flags, the
> implementation will become easier.
Hi Xinchen,
Glad to hear that you are still looking into this... please let me know if
there is anything I can do to help (unfortunately I'm not a C p
Rob Richards wrote on 30/07/2015 14:12:
If you are already working with a trusted document then you should
safely be able to disable the entity loader. If you aren't then
wouldn't you want to do some sort of checking (especially if you dont
have an XML gateway fronting the system) for other mal
Hi Bogdan,
On Wed, Jul 29, 2015 at 5:22 PM, Andone, Bogdan
wrote:
> Hi Guys,
>
> My name is Bogdan Andone and I work for Intel in the area of SW
> performance analysis and optimizations.
> We would like to actively contribute to Zend PHP project and to involve
> ourselves in finding new performa
On 7/29/15 6:01 PM, Stanislav Malyshev wrote:
Hi!
Currently, PHP by default is vulnerable to XXE attacks:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
To bypass this, you need to turn off external entity loading:
libxml_disable_entity_loader(true);
AFAIR right now, du
2015-07-30 14:42 GMT+02:00 Andone, Bogdan :
> > -Original Message-
> > From: Niklas Keller [mailto:m...@kelunik.com]
> > Sent: Thursday, July 30, 2015 1:47 PM
> > To: Pierre Joye
> > Cc: lp_benchmark_robot; PHP internals; l...@lists.01.org
> > Subject: Re: [PHP-DEV] Benchmark Results for P
Hey:
On Thu, Jul 30, 2015 at 8:24 PM, Joe Watkins wrote:
> Hi Andone,
>
> I'm not sure why nobody has replied to you yet, we've all looked at the
> PR and spent a lot of the day yesterday discussing it.
>
> I've CC'd Dmitry, he doesn't always read internals, so this should get
> his atte
Hey:
On Thu, Jul 30, 2015 at 8:14 PM, Joe Watkins wrote:
> I find myself agreeing with Pierre; The wrong signal would be sent. History
> should teach us there is no such thing as (a) safe mode.
>
> Xinchen did used to work on a taint extension, I wonder why that was
> stopped ?
yes, it is https:/
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Thursday, July 30, 2015 1:47 PM
> To: Pierre Joye
> Cc: lp_benchmark_robot; PHP internals; l...@lists.01.org
> Subject: Re: [PHP-DEV] Benchmark Results for PHP Master 2015-07-30
>
> 2015-07-30 11:57 GMT+02:00 Pier
Hi Bogdan,
> -Original Message-
> From: Andone, Bogdan [mailto:bogdan.and...@intel.com]
> Sent: Wednesday, July 29, 2015 4:22 PM
> To: internals@lists.php.net
> Subject: [PHP-DEV] Introduction and some opcache SSE related stuff
>
> Hi Guys,
>
> My name is Bogdan Andone and I work for Int
On 30 Jul 2015, at 13:14, Joe Watkins wrote:
> I find myself agreeing with Pierre; The wrong signal would be sent. History
> should teach us there is no such thing as (a) safe mode.
Hi Joe,
Please can you read my proposal (see the email you just replied to, also
below)... I'm replying on th
Hi Andone,
I'm not sure why nobody has replied to you yet, we've all looked at the
PR and spent a lot of the day yesterday discussing it.
I've CC'd Dmitry, he doesn't always read internals, so this should get
his attention.
Lastly, very cool ... I look forward to some more cleverness
I find myself agreeing with Pierre; The wrong signal would be sent. History
should teach us there is no such thing as (a) safe mode.
Xinchen did used to work on a taint extension, I wonder why that was
stopped ?
Worth noticing that the extension is rather complex, touching many parts of
the engin
On Thu, 30 Jul 2015, Ferenc Kovacs wrote:
> On Sun, Feb 22, 2015 at 11:30 PM, Nikita Popov wrote:
>
> > I would like to propose reclassifying our few existing E_STRICT
> > notices and removing this error category:
> >
> > https://wiki.php.net/rfc/reclassify_e_strict
> >
> > As we don't real
2015-07-30 11:57 GMT+02:00 Pierre Joye :
> Hi,
>
> Does someone has a contact there?
>
> It would be nicer to have these results combined with what we pushed on
> qa.php.net as well.
>
> Cheers,
> Pierre
Thought about that as well, results per mail aren't that useful, especially
as they're badly
Hi,
Does someone has a contact there?
It would be nicer to have these results combined with what we pushed on
qa.php.net as well.
Cheers,
Pierre
On Jul 30, 2015 3:29 PM, "lp_benchmark_robot"
wrote:
> Results for project php-src-nightly, build date 2015-07-30 05:00:00+03:00
>
> commit:
On Sun, Feb 22, 2015 at 11:30 PM, Nikita Popov wrote:
> Hi internals!
>
> I would like to propose reclassifying our few existing E_STRICT notices and
> removing this error category:
>
> https://wiki.php.net/rfc/reclassify_e_strict
>
> As we don't really have good guidelines on when which type
On 30 Jul 2015, at 08:24, Lester Caine wrote:
> But that is a perfect example of what I am talking about. You do not
> educate people by publishing the very thing that is wrong. You educate
> them by pointing out to them WHY the '?' was there in the first place.
I completely agree on educatio
On Thu, Jul 30, 2015 at 1:25 AM, Yasuo Ohgaki wrote:
> Hi all,
>
> On Thu, Jul 30, 2015 at 7:44 AM, Yasuo Ohgaki wrote:
>
>> On Thu, Jul 30, 2015 at 1:13 AM, Nikita Popov
>> wrote:
>>
>>> Instead of continuing to use serialize_precision, which will produce
>>> unnecessarily long outputs for man
Results for project php-src-nightly, build date 2015-07-30 05:00:00+03:00
commit: ae1a4f47e6bd9f8d1d969e5080dae60136d7444b
revision_date:2015-07-29 21:00:43+02:00
environment: Haswell-EP
cpu: Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz 2x18 cores, stepping 2,
LLC 45 MB
On 29/07/15 16:11, Craig Francis wrote:
> I completely disagree... prepared statements are just as vulnerable, and so
> are ORM's.
>
> You can push developers towards these solutions, and that would be good, but
> you are completely blind if you think an uneducated developer won't do:
>
>
41 matches
Mail list logo
