ormed sequences or
unavailable characters does not conform to ISO 10646, will make
debugging more difficult, and can lead to user confusion.
==
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
",utf8_decode(chr(0xE0)));';
done
07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00
$ for a in `seq 1 20`; do php -r 'printf("%02x ",utf8_decode(chr(0xE0)));';
done
08 00 00 02 00 00 00 00 00 05 00 00 00 05 00 00 07 00 09 00
$ for a in `seq 1 20`; do php -r
t)
I'm not fond of the "?" feature as well, but it is present in
utf8_decode() and other non-php applications with utf-8 conversion.
My guess is still that some standard recommends this conversion as a
possible fallback for error handling.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
also expects the input to be UTF-8
encoded, but it replaces incomplete sequences with the character "?".
I don't know if it is a recommended standard for invalid input but I
have seen this conversion as well in a couple of other applications,
e.g. Firefox.
--
- Peter Brodersen
--
PH
+1
(sorry for the first post)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
them and maybe the ones
>who don't would go through the same process I went through once they get
>used to it J
>
>
>
>Andi
>
>
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
a whole "independent" language.
I wouldn't like to see php projects have to create different packages
with individual code for different types of os or distribution.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
y an input where the number of
bits does not add up to a number divisible by eight? Or is this
feature of md5 simply not relevant to anybody?
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
anging list of functions
under disable_functions which would make upgrades cumbersome.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ea.
Would there be some caveats with stuff like this if it is possible to
change the charset at runtime?
I guess it is important to be aware of whether a function is affected
by different settings (and if these settings can be changed at
runtime) to conclude if a function really is determini
e good in conjunction with user input.
I'm not too fond of a function that begins with if* - it might
misdirect people to think it's a control structure.
(and now back to your original programme)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsub
talked about unbundling the safe_mode_exec_dir and
keeping that alive:
http://news.php.net/php.internals/20417
Is this still relevant? I like the idea much more than users should
maintain their own disabled_functions list to prevent current and new
exec functions.
--
- Peter Brodersen
--
PHP Int
. I
don't think it would take a long time to do.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
question from the users would be "But what would I have to do
instead?".
I know the development of such a tool might be outside the scope of
usual php development. But if we want to change the behaviour pattern
of the users in the transitional phase it could be necessary.
--
- Peter Br
even have to create two products for
their customer: "Do you want the PHP 6 with unicode setting on or
off?".
I'm just worried that PHP 6 is the new NULL: PHP6 != PHP6 :-)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
een replaced
with a new one. Even if a developer would write (portable) PHP 6 only
code.
Of course, configurations could contain a lot of other obscure
settings that might have influence on the script but none as
widespread as the difference in magic_quotes settings.
--
- Peter Brodersen
--
be to get rid of delimiters and separate the flag into
its own argument, but it would be a hell of a BC break if the input
form suddently changed.
Nonetheless the current PCRE functions leads to confusion and
weirdness as long the perl syntax is mixed with php.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
.
>
>What's random? Non localhost/127.0.0.1 ?
Actually any smb server that is requested thorugh PHP's means of
fetching a resource (\\smbserver\...) instead of a device mount in the
operating system (e.g. Z:\ ...).
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development M
eone could doublecheck it against those attacks it would be
>> >> helpful.
>> >
>> >
>> > Would requests to a smbserver, e.g.
>> > \\10.20.30.40\evil\malicious_php_code.txt be prevented as well? It
>> > seems like smbserver requests are regar
t;If someone could doublecheck it against those attacks it would be helpful.
Would requests to a smbserver, e.g.
\\10.20.30.40\evil\malicious_php_code.txt be prevented as well? It
seems like smbserver requests are regarded as part of the default
filesystem wrapper.
--
- Peter Brodersen
--
PHP Inter
even though some might be less obvious than other.
HTTP_HOST could be tainted as well in some cases where a DNS entry and
ServerAlias of *.example.com exists.
An attacker could trick a user into visiting
www.%22%3EXSS.example.com which at least IE6 would accept as a valid
URL.
--
- Peter Bro
for the administrator to maintain his own timeout value
(above 24 minutes) without resolving to keepalive-hacks
! Security handling should, where possible, be performed by the code.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
or a web developer to discard
a session in a system with a high gc_maxlifetime than to keep a
session alive (e.g. having the page access a php resource every couple
of minutes using javascript).
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
).
But if there is no (just as) simple way of doing it right users will
do it in a bad way.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
hermore, this behaviour would be vulnerable to new exec-functions
requiring a lot of maintenance for end users.
At least Rasmus mentioned that he would appreciate being reminded of
this feature (of keeping an internal list of exec functions and still
use safe_mode_exec_dir - possibly under a mo
ioned in
<[EMAIL PROTECTED]> ?
This thread is mainly about a safety net for one's own code. But
regarding restricting users, open_basedir is IMO useless if not backed
up by some other methods (like restricting exec functions).
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Developme
em.
Would the feature of safe_mode_exec_dir in any kind of name be
preserved, as recommended by Rasmus? This might be the exact time to
"remind us later".
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ns though (function names might exist but still
unusable), as mentioned in the documentation.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
sible new directives
it would be too early to put up some text.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ralized (the current php script)
I guess my main concern is that open_basedir is kept in PHP6 (based on
the talks), but it is pretty much useless if not backed up by other
tools (disable_exec_functions, some_exec_dir_restriction, ...)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
de would disable.
Furthermore, this behaviour would be vulnerable to new exec-functions
requiring a lot of maintenance for end users.
If this really is best practice, why don't we just rename safe_mode to
"disable_exec_functions" (and maybe remove UID checks)? It would be
easier to mai
"disable_exec_functions" might be a
setting that is clear about its purpose and impact.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
w
files. Other users wouldn't be able to read the files belonging to
"penguin".
This might be out of scope for php, but as a recommended setup I think
it would be fair to provide hints for general setup.
(and once again, I agree that safe_mode is not safe, it is a poor
functiona
Of course the
larger web service providers would have automated their virtual host
generation and Apache2 users might just use mod_macro. Personally I feel
it kind of redundant to specify the users document_root as their open_basedir
value (although other might want to allow one level up giving
Furthermore, and just a though: would it be possible to have an option
when compiling an apache module of setting the open_basedir value to
the same as the virtual host's DOCUMENT_ROOT? I think deployment could
be much easier this way.
(oh yeah, and I really hope glob() results would
rojects. Apache, mod_ssl, mod_perl and so on. I can't recall they
seriously would encourage people to disable version information so
much that they would change their default settings to reflect this.
I would agree with Markus. This is security by obscurity. The
automated attacks do happen anyw
e cumbersome to help
people with php issues as the php version is not directly available.
Honestly I'm not sure how I would feel on the "expose version number"
issue if e.g. google would allow people to restrict their searches
based on header information as well.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
On Sun, 9 Oct 2005 00:55:45 -0400 (EDT), in php.internals
[EMAIL PROTECTED] (Adam Maccabee Trachtenberg) wrote:
>We seem to be under the impression that the Unicode speed penalty will
>be so harsh that a Unicode-only PHP 6 will be too slow for
>use. However, we don't know that for sure. Yes, it wi
re thinking of.
I can't see any reason for that statement, though.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ehaviour could be a disservice as well. Even though they were meant
to ease a BC transition, you suddently can't be sure if your code runs
on any other servicer even if the x.y.z version is the same.
In some cases it could just result in Even Another Intial Ini-Check In
Your PHP Code.
--
- P
eloper/user with no control of his sysadm's settings?
Would there be any concerns for PHP users who would like their code to
work in different setups? (one with the old behaviour, one with the
new behaviour - both running the same 5.1.x version)
--
- Peter Brodersen
--
PHP Internals -
L
>extension, point your browser at
>http://pecl4win.php.net/ext.php/php_oci8.dll
AOL! I mean... great work! :-)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
spect a lot of applications will. The
>fact date() now tries to be intelligent about it but fail is a real problem.
Just out of curiousity of the scope of this issue... where did the
string "IDT" come from in the first place?
Any specific distribution? Default OS setting?
--
- Peter
like users to search the bug database at
first it might be treated more as a knowledge base. It wouldn't be a
here-and-now solution but could reduce the bogus bug submissions in
time.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
t an observation than solutions. Some of the
suggestions might even be patronizing ("you should reply in a good
manner, not in a bad manner").
I suppose there are reasons for many things. I suppose a lot of the
.-answers are when there are many open bugs and a nice developer
decides that
ms like glob.h is that troublesome.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
f,pdf,bmp,raw}",GLOB_BRACE));
If all you want is to supply glob() with a list of full or partial
patterns I think the desired functionality is already present.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
instead of \\1 or $1)
I'm not that worried about my own preg-usage. I just want to be
prepared if I ever have to review some code for the purpose of
migrating to PHP6.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
;) == ...)
Of course I'm not against notices, but I think there is a clear
distinction (or should be...) between stuff that might exist beyond
our control (user-submitted data) and stuff that we rely on (own
variables).
But all in all: very exciting. As mentioned, there really migh
beta"-consideration.
For the sake of the references-fix, I suppose it's a case of DIYDDIYD.
I agree with Zeev regarding the importance of the wording in the
release notes.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
LOB_BRACE));
.. are possible even in safe_mode/open_basedir-restrictions, these new
functions will have pretty small effect unless one works his way
entirely around the session functionality in the first place...
E.g.:
http://basedir.ter.dk/globall.php
--
- Peter Brodersen
--
PHP Internals - PHP
know - I'm still yackin' about the
print_r(glob("{/home/currentuser/,/etc/}*",GLOB_BRACE)) issue combined
with the glob file name disclosure issue)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Hi,
On Mon, 14 Feb 2005 01:56:41 +0100, in php.internals [EMAIL PROTECTED] (Peter
Brodersen) wrote:
>http://basedir.ter.dk/globeater.php
>http://basedir.ter.dk/globeater.php?debug=1
>http://basedir.ter.dk/globeater.phps
>
>Is it really a-okay that a script in pure PHP u
hing to do with PHP-only-access. I don't believe that
security comes in a box, but any issue to be solved on a
global/centralized level is better than asking sysadms and developers
of performing custom, individual workarounds.
Just my 0.02dkk - thanks for listening!
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ange of 0x80 and
0xF7.
That's the nice thing about UTF-8 - no character with code points
above 128 will produce bytes where the uppermost bit is zero (0x00 to
0x7F)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
d.apache.org/docs-2.0/mod/mod_proxy.html#proxypreservehost
I miss it in Apache1 :) That feature is pushing me towards Apache2.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
s are able to perform
these kind of stunts, though, so I guess that this just doesn't seem
as much of a problem for those people with full root access to the
entire system]
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
tirely, one must respect that it is present and part of the system -
for better and for worse.
By the way, since it's a myth, you might stop repeating the myth,
since no-one else bombastically claimed that "Safe mode makes a PHP
installation safe" :)
--
- Peter Brodersen
--
PHP
ing options deal with files, therefor
safe_mode & open_basedir checks
* are required.
*/
.. but it only seems to regard storage of cookiefile and
ssl-certificate.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscri
t/cvs-php.php , but still no reply.
What's the next step for me (besides posting here)?
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ity, more powerful features,
etc...)
Quick example, for the curious: (PHP4.3.8, PHP5.0.0)
Expected result:
A "little" test and a 'little' test
A "little" test and a 'little' test
Actual result:
A \"little\" test and a 'little' test
r way around. For a user with the session name
"deadbeefdeadbeefdeadbeefdeadbeef", data could be stored in
sess_(md5sum of "deadbeefdeadbeefdeadbeefdeadbeef").
That way, gaining access to the file name of a session file wouldn't
allow you to hijack that session, since you wouldn't have the original
session name (but only the hashed value).
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
file, instead of just
directory. First file-check makes no sense (1)
- No "file walking" would be possible (as glob() returns false instead
of raising a warning if no file is matched) (2a)
- File names wouldn't be disclosed (2b)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
glob() performing a check on the first file
that matches the pattern, even if this gives arbitrary results?
5. Is there any reason for glob() disclosing file names on warnings?
6. Is there any reason for users to be able to figure out almost any
file name on the system using glob() (which would
d a buffer overflow or anything like that.
This is more a political decision whether or not we would like PHP to
behave this way.
(I will resend the post to [EMAIL PROTECTED] later today if necessary)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
5. Is there any reason for glob() disclosing file names on warnings?
6. Is there any reason for users to be able to figure out almost any
file name on the system using glob() (which would require less work than
brute force guesses)?
Thanks for reading all of this - and thanks for the hard work developing
PHP :)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
66 matches
Mail list logo
