> -----Original Message----- > From: p...@golemon.com [mailto:p...@golemon.com] On Behalf Of Sara > Golemon > Sent: Thursday, April 27, 2017 12:10 AM > To: Anatol Belski <a...@php.net> > Cc: PHP internals <internals@lists.php.net>; Joe Watkins <krak...@php.net>; > Davey Shafik <da...@php.net>; Remi Collet <r...@php.net> > Subject: Re: [PHP-DEV] On malformed transport strings > > On Wed, Apr 26, 2017 at 1:19 PM, Anatol Belski <a...@php.net> wrote: > > What I'd basically avoid is making changes in stress, as there might > > be other beyond places and we shouldn't risk to introduce more breach > > than there already is. > > Instead, that requires a cold head and a lot of QA 😉 > > > Which is precisely why I'm advocating reverting the whole lot. I've just sat > down > to try to at least address the mysqli_connect part and it's hairy. Basically > we've > built in precisely the kind of bad assumption that I was initially grousing > about > frameworks having done. > > I don't mean to ignore the security issue presented by 74216, I just recognize > that my initial fix was made hastily and we should allocate more time to fix > it > properly (with all that lovely QA and testing). > For what I could tell however, your fix was not made hastily. It was pushed 1.5 months before 7.0.18 and the impact is only discovered in the final by the apps using undocumented functionality. That was my reason trying to keep the actual patch. The fact the undocumented functionality seems to be indeed in (ab)use is the explanation, why it took that long to discover. I think we're clear now, that the BC impact in this case is overweight.
ACK, I will go by reverting these revs from the dev and release branch, please correct me if I miss some cda7dcf4cacef3346f9dc2a4dc947e6a74769259 bab0b99f376dac9170ac81382a5ed526938d595a reopen bug #74216 and retag the RC. Joe, Davey, seems you should retag as well. Thanks for this productive discussion, Sara. Regards Anatol
