RE: [PHP-DEV] On malformed transport strings

2017-04-26 Thread Anatol Belski
> -Original Message- > From: p...@golemon.com [mailto:p...@golemon.com] On Behalf Of Sara > Golemon > Sent: Thursday, April 27, 2017 12:10 AM > To: Anatol Belski > Cc: PHP internals ; Joe Watkins ; > Davey Shafik ; Remi Collet > Subject: Re: [PHP-DEV] On mal

Re: [PHP-DEV] On malformed transport strings

2017-04-26 Thread Sara Golemon
On Wed, Apr 26, 2017 at 1:19 PM, Anatol Belski wrote: > What I'd basically avoid is making changes in stress, > as there might be other beyond places and we shouldn't > risk to introduce more breach than there already is. > Instead, that requires a cold head and a lot of QA 😉 > Which is precisely

RE: [PHP-DEV] On malformed transport strings

2017-04-26 Thread Anatol Belski
> -Original Message- > From: p...@golemon.com [mailto:p...@golemon.com] On Behalf Of Sara > Golemon > Sent: Wednesday, April 26, 2017 5:35 PM > To: Anatol Belski > Cc: PHP internals ; Joe Watkins ; > Davey Shafik ; Remi Collet > Subject: Re: [PHP-DEV] On mal

Re: [PHP-DEV] On malformed transport strings

2017-04-26 Thread Sara Golemon
On Wed, Apr 26, 2017 at 6:20 AM, Anatol Belski wrote: > Thanks for this additional check. My action was actually based on the comment > with the patch link, looks like the situation has now changed a bit. We're > still quite limited in choice in this case. For one, there's a low security > impa

RE: [PHP-DEV] On malformed transport strings

2017-04-26 Thread Anatol Belski
Hi Sara, > -Original Message- > From: p...@golemon.com [mailto:p...@golemon.com] On Behalf Of Sara > Golemon > Sent: Tuesday, April 25, 2017 7:15 PM > To: Anatol Belski > Cc: PHP internals > Subject: Re: [PHP-DEV] On malformed transport strings > > On T

Re: [PHP-DEV] On malformed transport strings

2017-04-25 Thread Sara Golemon
On Tue, Apr 25, 2017 at 5:15 AM, Anatol Belski wrote: > I've applied the patch you've suggested in bug #74429, so it's going to be > included in RCs. Given the initial security issue is not impacted, BC can be > kept. > I thought about the security implications of that quick fix and while it doe

RE: [PHP-DEV] On malformed transport strings

2017-04-25 Thread Anatol Belski
Hi Sara, > -Original Message- > From: Anatol Belski [mailto:weltl...@outlook.de] On Behalf Of Anatol Belski > Sent: Saturday, April 22, 2017 12:41 PM > To: Sara Golemon ; PHP internals > Subject: RE: [PHP-DEV] On malformed transport strings > > > > > I

RE: [PHP-DEV] On malformed transport strings

2017-04-22 Thread Anatol Belski
Hi Sara, > -Original Message- > From: p...@golemon.com [mailto:p...@golemon.com] On Behalf Of Sara > Golemon > Sent: Thursday, April 20, 2017 10:56 PM > To: PHP internals > Subject: [PHP-DEV] On malformed transport strings > > My fix to https://bugs.php.net/bu

[PHP-DEV] On malformed transport strings

2017-04-20 Thread Sara Golemon
My fix to https://bugs.php.net/bug.php?id=74216 tightened down the definition of what a valid transport string looks like. Previously, transport strings like "tcp://127.0.0.1:80:81:82/your/moms/face" would be accepted by PHP as perfectly valid URIs. Since this was never documented as a feature of