> -Original Message-
> From: Russell Nelson [mailto:[EMAIL PROTECTED]
> Sent: mercredi 29 juin 2005 08:09
>
>
> If people do stupid things with a computer, is it their fault or the
> computer's fault? Personally, I always think it's the computer's
> fault. So, yes, if people end up doin
On Wed, 29 Jun 2005 [EMAIL PROTECTED] wrote:
> ID: 12284
> Updated by: [EMAIL PROTECTED]
> Reported By: andrew at andrew dot org
> -Status: Open
> +Status: Closed
> Bug Type: Feature/Change Request
> Operating System: any
> PHP Version:
On Wed, 29 Jun 2005 [EMAIL PROTECTED] wrote:
ID: 12284
Updated by: [EMAIL PROTECTED]
Reported By: andrew at andrew dot org
-Status: Open
+Status: Closed
Bug Type: Feature/Change Request
Operating System: any
PHP Version: 4.0.6
New
Hi Derick,
Who will define HAVE_INT32_T?
I could see ./configure detects it and defines it in main/php_config.h.
But How ext/date/lib/timelib_structs.h know about this?
I could not see ext/date/lib/timelib_structs.h including
main/php_config.h.
#ifndef HAVE_INT32_T
# if SIZEOF_INT == 4
typedef int
Jani Taskinen <[EMAIL PROTECTED]> writes:
> Please troll, do you go away if I close my eyes?
That's not fair. Russell is providing strong arguments and rebuttals for
every point. You may not agree with his points, but what he's doing is not
trolling. This discussion seems to have strong ba
!!! 2 ALL FROM PHP-FREELANCERS.COM/RELATED !!!
!!! URGENT !!! HELLO ALL, WE ARE "SKIV" DEVELOPER ON SCRIPTLANCE.COM !!!
URGENT !!!
!!! URGENT !!! WE ARE SELLING OUR COMPLETED COMMERCIAL PROJECTS DATABASE.!!!
URGENT !!!
!!! PLEASE READ CAREFULLY, long email,
Hi Jani,
Some time in October end 2004 I was asking for allocating 2 switches for
NetWare php cli to handle NetWare specific screen issues.
Subject of the original eMail is
"Can someone allocate 2 command line switches for php cli on NetWare?"
I got a good suggestion from the community to write a
I think the point is that we're not going to change include() any time
soon, and that this thread is not a productive use of everyones time.
--Wez.
On 6/29/05, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> Jani Taskinen <[EMAIL PROTECTED]> writes:
>
> > Please troll, do you go away if I clo
[EMAIL PROTECTED] wrote:
> Jani Taskinen <[EMAIL PROTECTED]> writes:
>
>> Please troll, do you go away if I close my eyes?
>
> That's not fair. Russell is providing strong arguments and rebuttals for
> every point. You may not agree with his points, but what he's doing is not
> trolling. T
On Wed, 29 Jun 2005, Sebastian Mendel wrote:
> [EMAIL PROTECTED] wrote:
> > Jani Taskinen <[EMAIL PROTECTED]> writes:
> >
> >> Please troll, do you go away if I close my eyes?
> >
> > That's not fair. Russell is providing strong arguments and rebuttals for
> > every point. You may not agre
[EMAIL PROTECTED] wrote:
Please troll, do you go away if I close my eyes?
That's not fair. Russell is providing strong arguments and rebuttals
for every point. You may not agree with his points, but what he's
doing is not trolling. This discussion seems to have strong backing
on both sides
Nope. Some functions are intrinsically safe, e.g. C's atol, or strtol.
It's all in the design, you see.
{
char badstring[3] = { '1', '0', '0' };
long not100 = atol(badstring);
}
Only intrinsicly safe if you've read the manual page to know that badstring
should have been null terminated.
On Wed, 29 Jun 2005, Sara Golemon wrote:
> > Nope. Some functions are intrinsically safe, e.g. C's atol, or strtol.
> > It's all in the design, you see.
> >
> {
>char badstring[3] = { '1', '0', '0' };
>long not100 = atol(badstring);
> }
>
> Only intrinsicly safe if you've read the manual
On Wed, 29 Jun 2005, Kamesh Jayachandran wrote:
> #include this at the start of the file(ofcourse after the
> guard) solves the problem.
Should be fixed in CVS, please test.
regards,
Derick
--
Derick Rethans
http://derickrethans.nl | http://ez.no | http://xdebug.org
--
PHP Internals - PHP R
On 6/29/05, Russell Nelson <[EMAIL PROTECTED]> wrote:
> If 'strchr' caused your CPU's fan to stop turning, should 1) a
> work-around be documented, or 2) the code fixed? If a bug in libjpeg
> allows a url_fopened image to contain invalid data that elevates
> privilege, should that be 1) a work-ar
Jani Taskinen writes:
> Please troll, do you go away if I close my eyes?
No, in fact, I don't. I'm not trolling. I'm pointing to factual
evidence that your replies cannot explain. Lots of people have said
"Oh, well, just turn off that feature, or tell your users not to use
it, or stop usi
Wez Furlong writes:
> I think the point is that we're not going to change include() any time
> soon,
Why not? It's still badly designed because it has hidden sharp edges.
--
--My blog is at blog.russnelson.com | If you want to find
Crynwr sells support for free software | PGPok |
Guus Leeuw jr. writes:
> These programmers need to make sure that their program copes well with
> incorrect or harming input.
Your argument is ridiculous. Essentially you are saying that circular
saws should not come with a guard on the blade, and that circular saw
users should invent their own
Derick Rethans writes:
> On Wed, 29 Jun 2005, Sara Golemon wrote:
> > Only intrinsicly safe if you've read the manual page to know that
> > badstring should have been null terminated.
Oh, don't get me started on C's null-terminated strings!
> Stop feeding the troll please.
Public requests t
Russell Nelson wrote:
Derick Rethans writes:
> On Wed, 29 Jun 2005, Sara Golemon wrote:
> > Only intrinsicly safe if you've read the manual page to know that
> > badstring should have been null terminated.
Oh, don't get me started on C's null-terminated strings!
> Stop feeding the troll pl
Parameter validation is a general thing done for security, whether that
be if you're using a variable in an include, database credentials,
connecting to a web service, etc. You need to make sure that those
basic conditions have a highly controlled set of values, not only for
security but to make s
Nelson Menezes writes:
> The potential for inclusion of malicious code is, if
> anything, a common oversight, not a design flaw.
If it's a common oversight, then it *is* a design flaw.
> 1. Create an INI_ALL variable that means something like "allow fopen
> wrappers in include/require" and de
Russell Nelson wrote:
>Derick Rethans writes:
> > On Wed, 29 Jun 2005, Sara Golemon wrote:
>
> > > Only intrinsicly safe if you've read the manual page to know that
> > > badstring should have been null terminated.
>
>Oh, don't get me started on C's null-terminated strings!
>
> > Stop feeding the
Russell Nelson wrote:
> Nelson Menezes writes:
> > The potential for inclusion of malicious code is, if
> > anything, a common oversight, not a design flaw.
>
> If it's a common oversight, then it *is* a design flaw.
>
> > 1. Create an INI_ALL variable that means something like "allow fopen
>
hi,
I just wanted to say about 'include' ... er no actually
I have this little thing with constant() which I asked about
on php-generals and the response from a couple of regulars
suggest it might be a bug, or more correctly, an inconsistency.
Jason Barnett wrote also:
tested with PHP 5.0.5-dev
Al Baker writes:
> This thread's pretty much pointless - I recommend you read up on web
> security in general.
I understand web security. When I found out that somebody was
breaking into my system, I knew *exactly* how they were doing it:
through PHP. I turned out to be correct. PHP's reputat
Yasuo,
Isn't it possible to resolve this in the code directly?
At 09:11 AM 6/27/2005 +0200, Derick Rethans wrote:
On Mon, 27 Jun 2005, Yasuo Ohgaki wrote:
> Since release_sysvsem_sem has error message while releasing acquired
> semaphores (both PHP_4_4 and PHP_5_1), it may end up with semaphor
Rasmus Lerdorf writes:
> Forget your Google searches and go look at actual vulnerability reports
> for the last 3 months.
Vulnerability reports are not a reasonable statistical sample. They
aren't random. Also, people who report vulnerabilities are likely to
stop reporting them if the maintain
That's pretty accurate. Same happens on systems like SGI where you can
optimize with base addresses. It can allow you to speed up loading time if
you have a self contained app but partition it into DLLs.
At 10:56 AM 6/28/2005 -0400, Wez Furlong wrote:
It does things differently; it compiles th
Makes sense and brings much better performance to PHP.
At 12:38 PM 6/28/2005 -0700, Michael Sisolak wrote:
Does this tripling of the size of zend_execute make sense? If it does
then it is what it is, but I just want to make sure that what's
happening here is what people expected.
--
PHP Inter
Russell Nelson wrote:
>And you're trying to tell me that PHP's 'include' doesn't have a problem??
>
>
>
The problem is not located on include, the problem is more general :
"trusting user's data" and PHP already provides tools to make it safe,
like file_exists(), htmlentities(), etc...
--
Etie
Sorry to break up the allow_url_fopen discussion but I think that thread is
getting a bit old already and definitely clogging up the mailing list.
(hint hint)
I'd like to start moving forward with the 5.1.0 release process. It seems
we are in quite good shape but as we have had many patches si
Hey,
Who is currently maintaining the ldap_ function set in PHP?
Guus
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.6/33 - Release Date: 28/06/2005
Etienne Kneuss writes:
> Russell Nelson wrote:
>
> >And you're trying to tell me that PHP's 'include' doesn't have a problem??
> >
> The problem is not located on include, the problem is more general :
> "trusting user's data"
That's *also* a problem. Include's problem is a different one:
Russell,
We got the point. Now please let internals@ continue to be productive and
focus on PHP development.
Sorry to be blunt but this thread is getting old and preventing us from
being productive.
Thanks,
Andi
At 12:58 AM 6/30/2005 -0400, Russell Nelson wrote:
Etienne Kneuss writes:
> Ru
Okay, I'm leaving for vacation in 7 hours. I'd like to bring the
'include' discussion to an end. There have been a lot of weak points
made, e.g. "Yeah, it's a problem; that's why we documented it".
Rather than re-dismiss them, I'll ignore them in favor of addressing
the strongest ones.
o This
Thanks Derick.
Still have one small issue with it for NetWare.
We decided to use autoconf based build for PHP-5.1 so we don't want to
use config.nw.h(Soon will delete it from the source tree)
This patch takes cares of it.
http://www.ductape.net/~kameshj/ext_date_config.m4.patch
With regards
Kamesh
On Thu, 30 Jun 2005, Kamesh Jayachandran wrote:
> Still have one small issue with it for NetWare.
> We decided to use autoconf based build for PHP-5.1 so we don't want to
> use config.nw.h(Soon will delete it from the source tree)
> This patch takes cares of it.
> http://www.ductape.net/~kameshj/e
38 matches
Mail list logo
