Re: [PHP-DEV] how to debug a php script ( the C code beneath it)

2012-02-14 Thread jpauli
2012/2/14 Adi Mutu > Perhaps i didn't explain correctly, my bad, sorry. > Basically what I want to see is the corresponding C code which is > executed, i could put a break in gdb, but how do I know at which C function > to put it, if i don't know the internals of php very good? > And the answer

[PHP-DEV] Re: Re: restore user opcode handler in PHP

2012-02-14 Thread Yoram bar-haim
Please ignore the issue of restart on mac and dlclose. it appears to be a bug on owr (Zend) side, caused by wrong behavior in extension that increment the reference count of library. Sorry for the that. however, the ability to fully restore the user opcode handler state is still an issue and is

[PHP-DEV] Re: Re: restore user opcode handler in PHP

2012-02-14 Thread Yoram bar-haim
Please ignore the issue of restart on mac and dlclose. it appears to be a bug on owr (Zend) side, caused by wrong behavior in extension that increment the reference count of library. Sorry for the that. however, the ability to fully restore the user opcode handler state is still an issue and is

[PHP-DEV] Fwd: Re: signals hadling problem in PHP 5.4

2012-02-14 Thread Dmitry Stogov
Hi, We will probably have to introduce --enable-zend-signals configure switch and disable zend signals by default. Or we will stuck with 5.4 release forever. Thanks. Dmitry. --- Begin Message --- Hi Arnaud and Lucas, I can confirm the problem. Just start Apache with mod_php, generate some

[PHP-DEV] New Array function - limited push

2012-02-14 Thread Pedro Pereira
Hi. I'm Pedro and I'm from Portugal. I've been working with php for a while but only now i decided to try my luck and propose a new array function that will become handy for many people :) This function adds new elements to the end of an array but limits the amount of total elements it can have,

Re: [PHP-DEV] New Array function - limited push

2012-02-14 Thread Patrick ALLAERT
2012/2/14 Pedro Pereira : > Hi. I'm Pedro and I'm from Portugal. > > I've been working with php for a while but only now i decided to try my > luck and propose a new array function that will become handy for many > people :) > > This function adds new elements to the end of an array but limits the

Re: [PHP-DEV] Fwd: Re: signals hadling problem in PHP 5.4

2012-02-14 Thread jpauli
Hey :) Is there a bug report for that ? I can find two of them related to zend signal problems with deadlocks-in-libc problems : #31749 #61067 Julien.P On Tue, Feb 14, 2012 at 11:22 AM, Dmitry Stogov wrote: > Hi, > > We will probably have to introduce --enable-zend-signals configure switch > a

[PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)

2012-02-14 Thread Kousuke Ebihara
Hi, I've noticed the following CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831 > PHP before 5.3.10 does not properly perform a temporary change to the > magic_quotes_gpc directive during the importing of environment variables, > which makes it easier for remote attackers to co

Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)

2012-02-14 Thread Reindl Harald
Am 14.02.2012 14:02, schrieb Kousuke Ebihara: > Hi, > > I've noticed the following CVE: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831 > >> PHP before 5.3.10 does not properly perform a temporary change to the >> magic_quotes_gpc directive during the importing of environment

Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)

2012-02-14 Thread Kousuke Ebihara
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (12/02/14 22:07), Reindl Harald wrote: > who in the world has magic_quotes on and does rely on any > addslashes() or magic_quotes thinking this makes any query > safe against sql-injection? > > without mysql_real_escape() you are completly unprotected

Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)

2012-02-14 Thread Ferenc Kovacs
2012/2/14 Kousuke Ebihara > Hi, > > I've noticed the following CVE: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831 > > > PHP before 5.3.10 does not properly perform a temporary change to the > magic_quotes_gpc directive during the importing of environment variables, > which makes

[PHP-DEV] Re: About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)

2012-02-14 Thread Ondřej Surý
2012/2/14 Kousuke Ebihara : > Hi, > > I've noticed the following CVE: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831 > >> PHP before 5.3.10 does not properly perform a temporary change to the >> magic_quotes_gpc directive during the importing of environment variables, >> which ma

Re: [PHP-DEV] Fwd: Re: signals hadling problem in PHP 5.4

2012-02-14 Thread jpauli
Ah oups, sry. But they seem related to signal handling in general case and libc's signal-safety , thus I linked them together :) Thx Julien.P On Tue, Feb 14, 2012 at 3:42 PM, Dmitry Stogov wrote: > I've opened the bug report #61083. > The bugs you mentioned are probably not related to zend_sign

Re: [PHP-DEV] Fwd: Re: signals hadling problem in PHP 5.4

2012-02-14 Thread Dmitry Stogov
I've opened the bug report #61083. The bugs you mentioned are probably not related to zend_signals. They were introduced only in 5.4. Thanks. Dmitry. On 14.02.2012, at 16:16, jpauli wrote: > Hey :) > > Is there a bug report for that ? > I can find two of them related to zend signal problems wi

[PHP-DEV] Re: About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)

2012-02-14 Thread Kousuke Ebihara
(12/02/14 23:03), Ondřej Surý wrote: > That's some noise on the wire... This fix was never part of PHP > 5.3.10 and I think all security team just copied this information from > CVE. (Now I at least know where they got it.) > > And you really need to pull the patch from > https://bugs.php.net/bug

Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)

2012-02-14 Thread Stefan Esser
Hi, > 1. In PHP 5.3.10 and before, magic_quotes_gpc is disabled even if it is > enabled in php.ini. No the vulnerability allows attackers to disable activated magic_quotes_gpc with a remote exploit. > 2. If my PHP scripts don't depend on magic quote feature, in this case, I > don't need to

Re: [PHP-DEV] Fwd: Re: signals hadling problem in PHP 5.4

2012-02-14 Thread Rasmus Lerdorf
On 02/14/2012 06:42 AM, Dmitry Stogov wrote: > I've opened the bug report #61083. > The bugs you mentioned are probably not related to zend_signals. > They were introduced only in 5.4. Right, but zend_signals actually fixes these deadlocks, so they are related that way. -Rasmus -- PHP Internals

Re: [PHP-DEV] Fwd: Re: signals hadling problem in PHP 5.4

2012-02-14 Thread jpauli
On Tue, Feb 14, 2012 at 5:35 PM, Rasmus Lerdorf wrote: > On 02/14/2012 06:42 AM, Dmitry Stogov wrote: > > I've opened the bug report #61083. > > The bugs you mentioned are probably not related to zend_signals. > > They were introduced only in 5.4. > > Right, but zend_signals actually fixes these

Re: [PHP-DEV] Fwd: Re: signals hadling problem in PHP 5.4

2012-02-14 Thread Rasmus Lerdorf
On 02/14/2012 08:48 AM, jpauli wrote: > On Tue, Feb 14, 2012 at 5:35 PM, Rasmus Lerdorf > wrote: > > On 02/14/2012 06:42 AM, Dmitry Stogov wrote: > > I've opened the bug report #61083. > > The bugs you mentioned are probably not related to zend_signals. > >

Re: [PHP-DEV] Fwd: Re: signals hadling problem in PHP 5.4

2012-02-14 Thread jpauli
On Tue, Feb 14, 2012 at 5:52 PM, Rasmus Lerdorf wrote: > On 02/14/2012 08:48 AM, jpauli wrote: > > On Tue, Feb 14, 2012 at 5:35 PM, Rasmus Lerdorf > > wrote: > > > > On 02/14/2012 06:42 AM, Dmitry Stogov wrote: > > > I've opened the bug report #61083. > > > The

Re: [PHP-DEV] how to debug a php script ( the C code beneath it)

2012-02-14 Thread Adi Mutu
Thanks Julien I don't know french, but i'll read it using google translate:) From: jpauli To: Adi Mutu Cc: Ángel González ; PHP Developers Mailing List Sent: Tuesday, February 14, 2012 11:17 AM Subject: Re: [PHP-DEV] how to debug a php script ( the C c

Re: [PHP-DEV] how to debug a php script ( the C code beneath it)

2012-02-14 Thread Rasmus Lerdorf
On 02/14/2012 09:22 AM, Adi Mutu wrote: > Thanks Julien > > I don't know french, but i'll read it using google translate:) If you just want to see some of the function calls, most calls that are visible in userspace are prefixed with "zif_" internally. eg. % gdb sapi/cli/php GNU gdb (Ubuntu

Re: [PHP-DEV] how to debug a php script ( the C code beneath it)

2012-02-14 Thread jpauli
On Tue, Feb 14, 2012 at 6:28 PM, Rasmus Lerdorf wrote: > On 02/14/2012 09:22 AM, Adi Mutu wrote: > > Thanks Julien > > > > I don't know french, but i'll read it using google translate:) > > If you just want to see some of the function calls, most calls that are > visible in userspace are pref

Re: [PHP-DEV] how to debug a php script ( the C code beneath it)

2012-02-14 Thread Adi Mutu
I know about the zif_* functions and i'm already using lxr.php.net. Didn't know about Gcc -e trick though, that might be usefull. Thanks. From: jpauli To: Rasmus Lerdorf Cc: Adi Mutu ; PHP Developers Mailing List Sent: Tuesday, February 14, 2012 7:36 PM

Re: [PHP-DEV] how to debug a php script ( the C code beneath it)

2012-02-14 Thread Adi Mutu
I know about the zif_* functions and i'm already using lxr.php.net. Didn't know about gcc -E trick though, that might be usefull. Thanks. From: jpauli To: Rasmus Lerdorf Cc: Adi Mutu ; PHP Developers Mailing List Sent: Tuesday, February 14, 2012 7:36 PM Su

[PHP-DEV] Re: main/output.c problem

2012-02-14 Thread Michael Wallner
On Mon, 13 Feb 2012 10:54:38 +0200, James Edmunds wrote: ... > if the output handler function set the return buffer pointer to NULL, it > was a signal to the output code to pass through the buffer contents > unmodified. The compatibility function wasn't doing that. A fix has been committed. Tha