Hstefan.es...@sektioneins.de
Breite Str. 159Tel: 0221 / 29282931
50667 Köln Fax: 0221 / 29282935
http://SektionEins.de/
Firmensitz Breite Str. 159 50667 Köln
Registergericht Amtsgericht KölnHRB 59950
Geschäftsführer:
der Werner Koch's work
valuable and therefore support him building the financial ground to pay
full-time maintainers for a software that millions use without even
knowing (HINT: package signatures) or are you just a jerk?
Unbelievable.
Stefan Esser
--
PHP Internals - PHP Runtime Devel
Hi,
>> While this has no immediate impact for average PHP users, it basically kills
>> the possibility for an extension like Suhosin to catch all function starts.
> Actually, there is one, use user opcode handler hook the fcall series
> opcodes, that is how I did in taint extension.
From what I
Hi,
it recently came to my attention that the function whitelist and blacklist
feature inside Suhosin is easily bypassable since PHP 5.0.
The reason for this is that PHP is no longer calling the
zend_execute_internal() hook if a function is called from another function (via
zend_call_function)
t of old code on the internet that relies on magic_quotes_gpc and
it uses utf8 or iso character set and is NOT vulnerable.
Of course using mysql_real_escape_string() and prepared statements are more
secure, but they are not always required to be secure.
Regards,
Stefan Esser
PS: and all that old code will be
Hey Nikita,
> Full disclosure sure is controversial, but I don't think it is
> regarded as necessarily bad. Just look at the way Stefan disclosed the
> PHP 5.3.9 remote code execution vulnerability: Full disclosure.
>
> So please, again, don't call people names.
I guess you are not aware that th
gt;> * look at the way it was made
>>
>> if only 10% of developers would work like Stefan most software
>> out there would be much better as it is and was all the last years
>> and if someone has this attitude and knowledge is see no single
>> problem and
Pierre,
I think we all know that 90% of your emails consist of twisting other people's
words in the hope to make them look bad
and redirect from the technical content.
Every time in this threat you replied to me, you were not adressing the
technical issue but taking some sentences and
twisting
Pierre,
> Why do you need a RFC to propose something to the W3C, or python? Even
> if it is widely adopted already. No need to answer, that's rather
> obvious.
you still fail to realize that I don't want to propose (anything) to you.
If you love writing RFCs then write some.
I am perfectly satis
Hello,
> I only say a few words and then i will be silent
> I tend to agree with Linus on this one "Security people are insane"
Yes and the security community thinks that Linus is insane for his view on
security topics.
> Not words : write RFC(docs),patches with sane techincal disscussions
> or
Hi,
>> This is bad. And there is no point arguing this fact.
>
> Yes, this was bad. Agreed. It was a mistake. Mistakes happen. We fixed
> it and hopefully learned from it.
Yes mistakes do happen to everyone and we all hope to learn from them.
And some of us like to buy insurances so that there i
Hello Pierre,
>> See you do it again. You claim I believe EMET has been created because of
>> Suhosin. I never said that. Although one of the lead developers of EMET
>> compared it himself to it.
>> You know some features of Suhosin are already in PHP and the HTTP response
>> splitting drama sh
Hello Pierre,
>> This is ironic because Pierre's employer is Microsoft (excuse me if that is
>> not correct anymore).
>
> Again you are totally wrong. I work with them not for.
>
> And can you please once in this thread (or at all) stop your kiddish
> personal attack and finally bring technica
Hello Stas,
> That's your opinion and you completely entitled to it and I have absolutely
> no issue about it. As I have no issue with your preferring to keep Suhosin as
> a separate project - it's your code, you decide what to do with it. What I
> have an issue with is understanding how, after
running around
telling everyone that all is perfect now with your RFC and new processes.
Reality shows a different picture.
BTW: "rely on a single person" is also funny. At SektionEins we have more than
one person looking into Suhosin.
Regards,
Stefan Esser
--
PHP Internals - PHP Run
ions.
Also history has proven that sooner or later PHP.net gets bitten by some
vulnerability in the ass and then they will clone one of the Suhosin features
anyway.
Regards,
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Hello,
I think current events show how important it is to make this case publicly
known.
On Dec 6th 2005 PHP got a partial protection against HTTP response splitting. A
security mitigation == Security Patch == important
The commit is here:
http://svn.php.net/viewvc/php/php-src/trunk/main/SAPI
Hello Pierre,
> Again, please tell me which part of Suhosin would make sense to have
> in the core? With technical explanation or details. Then we can begin
> a good discussion and maybe a RFC to get them in.
what part of "all of it and I am not going to try to convince you about this"
do you no
Hello Pierre,
> Please state the facts. I did add Debian and Ubuntu to the discussions
> on secur...@php.net. For all the issues you have reported yesterday
> (and I do the same for other). I do not know if Ondrej is on the
> security debian list, but that's up to them to deal with that.
Actually
Hey,
> How does it not look stupid for the "lead" maintainer of PHP in Debian* to
> write a "We do not need Suhosin, because I believe there will be no future
> Bugs in PHP" mail the very same day various PHP distributions have to put out
> updates because of a critical security bug that INFACT
Hello Soenke,
> I know it's hard because he personally attacks people and this doesn't
> help at all, but deal with him. He really made PHP and the interwebs
> more secure for the last decade.
>
> Do not respect him for how (bad) he's communicating things, respect him
> for what he coded. We are
Hey Florian,
> Now that's something I didn't read from Ondřej's mail, but delivering
> the packages with and without suhosin would, while being more work,
> certainly the most helpful way for users. Then again I'd gladly help if
> there's anything of this additional work that can be done.
people
Hello Pierre,
> This is exactly where you should help php directly instead of doing
> what you do now to defend your patch. In the long run (or maybe even
> mid term), the Suhosin patch will disappear.
I seriously doubt that. The PHP developers will never ever merge all features
into the PHP co
Hello Derick,
>> * and most probably many more that I do not know from the top of my
>> head (this are already 9 features and Suhosin/HPHP exists since 2004 =
>> 8 years).
>
> Lots of stuff in PHP was also "stolen" from Xdebug, but I am not whining
> about that as the goal is (and has always
in Suhosin for a long time -> anyway that
security fix is completely broken and noone cares about it.
Regards,
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
writing inside the bug report that the problem
occurs with and without Suhosin
5) You can just start PHP with the environment variable
SUHOSIN_MM_USE_CANARY_PROTECTION=0 and can use valgrind.
So basically all points you bring up are no issues.
Regards,
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ently breaks a safe guard.
Regards,
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
f Suhosin you look pretty stupid.
(In case of usage of Suhosin-Extension in default config, it is even completely
killed).
Just saying.
Regards,
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ng, while it should not.
Regards,
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
, someone discussed HashDOS vs. PHP originally somewhen in 2004 and
Hardened-PHP came out in 2004 it is funny that you believe to know, why I added
variable count restrictions.
Regards,
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
to numerical indices a legitimate
application might put data into a big array and have legitimate colliding keys.
Regards,
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ted extensions. But
that said suhosin has a limit similar to max_input_vars for 7 years now.
Regards,
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
this and future different vulnerabilities. ***
Regards,
Stefan Esser
signature.asc
Description: Message signed with OpenPGP using GPGMail
ve resulted in a "this is
deprecated" warning anyway.
Stefan Esser
--
SektionEins GmbH stefan.es...@sektioneins.de
Eupener Straße 150 Tel: 0221 / 29282931
50933 Köln Fax: 0221 / 2928
0 <-
Yes exactly 4.0.0
What happened between 5.3.0 and 5.3.1 is that stas killed that feature
for internal functions to work around a big security problem in the
design of the Zend Engine.
Considering the fact that the feature is DEPRECATED since 4.0.0 it
would even be okay to kill it f
Hello,
> Cannot compile with VC6/x86 under Windows.. Is there any precompiled binary
> for this environment? Thanks
I recently realised that the ZTS build is broken. Will fix it during the
weekend or early next week. I will also move Bytekit and Suhosin.org to
new redmine installations, becaue Trac
Hello,
> Does anyone know how to inspect the opcode of a php file?
take a look at Bytekit at http://www.bytekit.org
Bye,
Stefan
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Josef,
before you want to commit something to the PHP bugs website, you should
recheck your code for obvious XSS bugs in it...
> + value=" ?>" size="30" />
Greets,
Stefan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Co
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Johannes,
> while implementing a small toy extension (see [1]) I found out that
> ZEND_USER_OPCODE_CONTINUE seems to misbehave as it doesn't go to the
> next opcode so I ended up in an endless loop executing the same opcode
> again and again.
I gu
mory problems Suhosin detects.
Stefan Esser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjvbr4ACgkQSuF5XhWr2ngkKQCgniliTOQKjqpOJMS30lN2+Vf5
+NMAmgP3FtFlZnmoctZhAI67rDSDqdOI
=M9h8
-END PGP SIGNATURE-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Dmitry,
> __FILE__. "/../../foobar.php" probably could work on Windows/BSD only,
> but won't work anymore.
this works on Linux and everywhere where GLIBC is used, because GLIBC
realpath() supports this nonsense.
Stefan
-BEGIN PGP SIGNATURE--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Dmitry,
while you are at fixing realpath() it might be a good idea to fix the
../ nonsense.
What I mean is:
fopen("this_is_not_a_dir_but_a_file/../../../../../../../../etc/passwd",
"r");
works because of realpath() and PHP's wrapper.
Same fo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
> The idea also won't work with variables and unresolved constants as
> "case" labels (I saw your extension already carries about this limitation).
Yeah constants are the reason why I perform the optimization at runtime.
Because the moment a swit
is most of the time.
But yeah I know that there are some (potential) problems ;) That is why
it is experimental. The bigger question is however if the whole idea
fails with some switch() constructs.
Stefan Esser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG
the moment
Stefan Esser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiS+BMACgkQSuF5XhWr2nhGxQCgn1EPNaZS3ndUZG4DKTQ2+njk
7lwAnjiTWCoInAbR1jTY+4B6vdEm8NLd
=+8w7
-END PGP SIGNATURE-
--
PHP Intern
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
for everyone interested in getting the last bit of speed out of his PHP
I created a small extension that overrides the ZEND_CASE opcode and
optimizes its execution.
On the first execution of a switch statement it builds up a jumptable
for all the
. So there is only one copy of the
.dll/.exe loaded for ALL processes using it...
Stefan Esser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkh6/vkACgkQSuF5XhWr2njBNQCgk+JHAUN7cLDA0oSgmU90bd8r
-08.
Considering the fact that PHP 4.4.8 is known to have several public
security problems that where only fixed in PHP 5, releasing PHP 4.4.9
as last final version is the right thing todo.
Stefan Esser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuP
characters. In single byte PHP these characters are
wrongly considered as escape sequences by the parser while the
multi-byte parser realises that they are not escape sequences.
The same is true for chinese people using GBK. (afaik GBK is not
completely within utf-8)
Stefan Esser
-BEGIN PGP
However this also means that all those
Japanese/Chinese/Korean/Taiwanese/... multibyte scripts will not run
anymore. This forces systems to stay on PHP 5.2 which will most probably
don't get security updates once PHP 5.3 is out of the door.
Stefan Esser
-BEGIN PGP SIGNATURE-
Version: Gnu
exports different structs depending on PHP version.
Ah yes, and you need to load many symbols through the libc because they
might not exist in the PHP version. f.e. globals...
Stefan Esser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Marcus,
> did we change from non ZTS to ZTS builds on MacOS? ZTS builds do a bunch
> of additional copying of tables.
Nope. Thread Safety is disabled.
I did my comparision with PHP 5.2.5 and PHP 5.3-Snapshot.
Both versions were compiled with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Good morning,
I just want to bring attention to the fact that while benchmarks show
that PHP 5.3 is faster than PHP 5.2 on linux systems on MacOS/X the
opposite is shown.
Actually just executing bench.php from the PHP distribution shows that
PHP 5.3
usually... If
your code uses _REQUEST then overwrite it with an array_merge() of _GET
and _POST in the beginning of the script.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
t systems come to mind.
Unfortunately removing C from variables_order does not only remove
cookies from _REQUEST but removes the content of _COOKIE. And that would
kill e.g. ext/session.
It would have been a good idea to have such a configuration option that
allows to specify what is in _REQUEST
Stefan Priebsch schrieb:
> Richard Lynch schrieb:
>> If a web service really doesn't care whether it is responding to GET
>> or POST or even forged COOKIES to product its output, why would it not
>> just use REQUEST?
>>
>> It's not as if it's any harder to forge GET vs. POST vs. COOKIE data,
>> rea
to detect wrong types passed to functions is gone...
Imagine
function doStuff(string $x)
{
...
}
doStuff(md5($_GET['xxx']));
When you cast you don't realise that this code is broken
md5(array()); returns NULL; which is autocasted and doStuff() accepts it...
Stefan Esser
--
ll not have the
same benefit.
So in short I believe that people insist that "1" should be type casted
to 1 because if it is implemented that way the whole feature makes no
sense anymore and is useless and in the end is not implemented...
Stefan Esser
--
PHP Internals - PHP Runtime Develo
ou don't need to introduce
them at all.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
need to infect your browser with a cookie and
have delayed cross site forgeries all over the place...
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
gical
conversion when the function wants an int in a parameter that is a
reference. Suddenly calling a function does magically change variable
types outside of the function => NIGHTMARE.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
really don't understand why adding a *new feature* to the language
(that you can use or just not use and) that helps writing better code
and helps potential optimizers (that will come up as soon the feature is
implemented) to highly optimize the code get so much resistance...
Stefan Ess
s thread continues without a single valid (!= personal
opinion) reason why type hinting should NOT be introduced. BTW accepting
the string '1' where an (int) type hint is placed would be the next
stupid design decision.
Yours,
Stefan Esser
--
PHP Internals - PHP Runtime Develop
e hint of int in the decryptID()
function would allow the analyser to know that decryptID() always return
int and this would tell it that this is not a security hole. You see in
this example that just partial usage of type hinting can mean the
difference between a false positive and a definitive unexpl
ra procedural analysis
gives more information)
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Wietse Venema schrieb:
> Stefan Esser:
>
>> 2) Using mysql_real_escape_string() on user input does not make it safe
>> for SQL. It only makes SQL strings safe.
>> Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id)
>> is NOT se
G functions and
the developer will never realise this
because he was not taught to untaint() himself only when he is sure...
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Hi Steph,
>
> In a preliminary release for feedback purposes you talk about wrong
> assumptions? Surely this is the whole point of having a preliminary
> release for feedback :)
yes of course it is preliminary. But the whole idea is flawed. It is
assumed that a single function exists that makes us
r. It will only react if $sql['id'] contains a
string. Atleast the very first version did
this.
This means currently both approaches would tell the developer that they
are safe, while they are in fact not.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ytes in places where they could be
dangerous.
The only problems here are how slow this is and that the parsers need to
be compatible.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
3) Using htmlentities() on usr input does not make it safe for HTML
output. It only makes it safe in some situations.
Example: echo ''. Will allow XSS through the style
attribute without a taint warning
Example2: echo ''. Will
allow XSS through javascript: URL (f.e.
Hi,
please keep in mind that compiling PHP with large file support breaks
binary compatibility...
One of the globals contain a "stat" struct that has different size for
LFS or no LFS.
Stefan Esser
Wez Furlong schrieb:
> This bug has been open for a while:
> http://bugs.php.net/
for zend_extensions but I
believe right now there is no way to hook "I just came from some kind of
shared memory (memory/disk/network)" please fix me up so that I still
work in your process
Stefan Esser
--
Stefan Esser SektionEins GmbH
Tel. +49 175 6782326
Derick Rethans schrieb:
> On Thu, 20 Sep 2007, Stefan Esser wrote:
>
>
>> One problem I and others have run into is that from time to time we need
>> to store extra information for specific opcode arrays. For simple values
>> it is possible to use one of the res
op_array, that gets also cached by all the opcode cachers...
What do you think?
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Hello,
> new stage won't ever work, of course. If there's an extension which
> uses INI_STAGE_ACTIVATE and needs to support new htaccess stage, it
> can be fixed in source so check for this stage too - but I didn't see
> such extensions yet.
Well I actually know such an extension ;) It is called S
e means of runtime detection, because the same PHP 4.4 extension is
supposed to work with and without the fix (without recompilation).
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ere. A good start are your
*.google.com cookies they contain nearly all of these chars.
Stefan Esser
> Stefan Esser wrote:
>> sesserSat Jun 16 07:47:46 2007 UTC
>>
>> Modified files: /php-src/ext/sessionsession.c
>> Log:
>> Fix attr
gt; no further development time will be wasted on PHP4" :)
> This decision has been made to allow developers to move forward to get
> PHP6 out of the door ;)
While this statement would be honest it does not solve the problem, that
PHP 5 is also affected by security vulnerabilites that
of the PHP
developers.
OS hardening is useless if I can use exploits in PHP to simply
disable/get around
this hardening.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
ited phpBB was attacking through the /e modifier
of preg_replace(). Really Bad Code exists everywhere and admins have a
very bad feeling in their stomach when they have
to install PHP applications.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
PHP would be secure), or
a bunch of other attacks that
are not possible from PHP code, are not important. We therefore won't
fix them.
This statement would be honest and would be a good warning sign for
people to choose another language.
Stefan Esser
--
PHP Internals - PHP Runtime Devel
minutes.
Additionally the PHP dev team knows this problem for YEARS and it was
the only possible solution to expose the problem during
the MOPB to get it ever fixed.
I am fully aware that it can be made faster. But a slow solution is
better than no solution at all.
Stefan Esser
--
PHP Inter
you require a deeper limit Suhosin has a nice simulation
mode that will not block deeper recursion, so
that you can run the simulation mode on your development server for
weeks and see if you ever violate the 256
depth.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To
imes the performance penalty will be big if you add code that
executed with every function call. But in reality PHP applications don't
call millions of functions. Most of the waiting time in PHP applications
is waiting for disk/DB I/O operations.
Stefan Esser
--
PHP Internals - PHP Runtim
> You make things sound very black and white when they are usually grey.
>
You only don't realise how black things are.
> this is an acceptable performance tradeoff. We have to balance the
> seriousness of the vulnerability against the performance cost of the
>
Yeah well. Luckily since Suh
er not really safe. Refcount
increases etc...
are usually done deep in the engine and it is not ensured that in case
of a bailout
this cannot result in destruction of structures that were only partialy
initialised.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Dear Kevin,
you are just ridiculous. Educate yourself WHO is responsible for
improved PHP security.
Stefan Esser
> This one time, at band camp, Stefan Esser <[EMAIL PROTECTED]> wrote:
>
>
>> Stop flooding my inbox with your unqualified comments.
>> You can write
s/php-4.4.7-refcount-overflow-fix.patch.gz
MD5: 0b558564d86b798651b69181920f9378
Stefan Esser
Reference:
[1] - reference counter overflow -
http://www.php-security.org/MOPB/MOPB-01-2007.html
[2] - deep recursion crash -
http://www.php-security.org/MOPB/MOPB-02-2007.html
--
PHP Internals - PHP
nymore. Should we open
> [EMAIL PROTECTED] instead of [EMAIL PROTECTED]
Stanislav,
you are a liar. Enough said.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
e because in Antony's world
I am responsible for it, while infact
my commit was in a version AFTER the one the problem was reported for.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
daisy chaining of the filter hooks...
Let's not forget that the typical internals discussion is that some Zend
employee steps in and believes he is a leader and makes the decisions.
(Hello Antony). And this happens because there is NO leader that steps
in. (Hello PHP Group)
Stefan Esser
--
> If you are aware of some security problems in current PHP sources you
> are as always welcome to report them and they will be fixed. I think
> everybody here as always are thankful for any help we can get.
Ohh BTW. I am aware of many security problems in current PHP, actually
the whole world
is,
discussion" happens and it's not
> always about conspiring against certain security researchers? There's
> no "them". Try to think about it for a minute.
Yes I think you do not need to repeat that there is no such thing as a
PHP leadership.
The reason number one w
x is of course not a solution and as usual fixes just one of the
symptoms.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Ci schrieb:
> Stefan Esser napisał(a):
>> Hello,
>>
>>> zend_hash_find(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]),
>>> "DOCUMENT ROOT", sizeof("DOCUMENT ROOT"), &data);
>>> strcpy(buffer, Z_STRVAL_P(data);
>> It is
Hello,
> zend_hash_find(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]),
> "DOCUMENT ROOT", sizeof("DOCUMENT ROOT"), &data);
> strcpy(buffer, Z_STRVAL_P(data);
It is called DOCUMENT_ROOT, not DOCUMENT ROOT...
-sesser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, vi
s during a single request.
Stefan Esser
Richard Quadling schrieb:
> Hi.
>
> I have a webapp which uses Ajax to initiate a process on the server
> which could take several minutes to complete and will go through many
> steps to before the task is finished.
>
> In that script, I upd
f open source...
>
The spirit of open source is NOT that those in favour of the PHP Group
can abuse the PHP Project for whatever they want. Like advertise their
own companies.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
> as conflicting with their definition of Open Source.
>
Yeah well, I am waiting for their comment about this issue. Beside the
fact that the License can still be OSI conform as long the PHP group
does not give anyone a special treatmeant.
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
1 - 100 of 224 matches
Mail list logo
