[PHP-DEV] Re: [php-maint] [PHP-DEV] CVE-2008-5658 unfixed or new problem with Zip::extractTo in 5.2.x?
hi again, On Fri, Jan 23, 2009 at 08:23:59AM +0100, sean finney wrote: it's unfortunate that there isn't a more surgical fix (301 insertions!), but i'll take your word for it that it would be too complicated/dangerous to try and modify virtual_file_ex() directly. actually, i think i've found a slightly more graceful workaround :) since virtual_file_ex is to fragile to be changed, here's a patch that does the following as a workaround: - take a temporary copy of the filename - replace all instances of ^../, /../, and /..$ with ///. - pass this mangled filename to virtual_file_ex for normalization it seems virtual_file_ex can handle such a filename without problem, and with proper formatting the current patch only inserts 22 lines to php_zip.c. someone should probably double check this code for early-morning coding errors though :) what do you think? sean --- ext/zip/php_zip.c.orig 2009-01-23 08:29:32.0 +0100 +++ ext/zip/php_zip.c 2009-01-23 08:56:42.0 +0100 @@ -142,6 +142,9 @@ char *path_cleaned; size_t path_cleaned_len; cwd_state new_state; + char *tmp_file = NULL; + char *tmp_needle = NULL; + int virtual_ret = 0; new_state.cwd = (char*)malloc(1); new_state.cwd[0] = '\0'; @@ -150,7 +153,25 @@ /* Clean/normlize the path and then transform any path (absolute or relative) to a path relative to cwd (../../mydir/foo.txt mydir/foo.txt) */ - virtual_file_ex(new_state, file, NULL, CWD_EXPAND); + tmp_file = strdup(file); + while (tmp_needle=strstr(tmp_file, /../)) + { +*(tmp_needle+1)=*(tmp_needle+2)='/'; + } + if (strncmp(tmp_file, .., 2) == 0 (file_len == 2 || tmp_file[2] == '/')) + { +tmp_file[0]=tmp_file[1]='/'; + } + if (file_len 3 strncmp(tmp_file[file_len-2], .., 2) == 0) + { +tmp_file[file_len-1]=tmp_file[file_len-2]='/'; + } + virtual_ret = virtual_file_ex(new_state, tmp_file, NULL, CWD_EXPAND); + free(tmp_file); + if (virtual_ret == 1) + { +return 0; + } path_cleaned = php_zip_make_relative_path(new_state.cwd, new_state.cwd_length); path_cleaned_len = strlen(path_cleaned); signature.asc Description: Digital signature
Re: [PHP-DEV] New function proposal: spl_object_id
Hello My usage for spl_object_id wouldn't be solved with SplObjectStorage, here is my current event handler (it uses spl_object_hash) I still have the plan to replace it with something better but it simply works, currently it's not possible to free an object. EVENT::register accepts a static class or object instance. class EVENT { private static $events = array(); public static function register($event, $obj, $method) { if (!isset( self::$events[$event])) self::$events[$event] = array(); if (is_object($obj)) { $hash = spl_object_hash($obj); } else { $hash = $obj; } self::$events[$event][$hash] = array($obj, $method); } public static function fire($event, $eventData = null) { if (isset(self::$events[$event])) { foreach(self::$events[$event] as $callable) { call_user_func_array($callable, array($eventData)); } } } } So spl_object_id would be a nice... Best regards Oskar Eisemuth -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] GSoC 2009
Scott MacVicar wrote: Hi Everybody, It's almost that time again where we rush at the last minute to organise something for the Google Summer of Code, so in the interest of being prepared I'm thinking it's time to start collecting ideas for potential students. I've updated a few of the Wiki pages with some things relevant from the Mentor Summit I attended last year about the idea and applying process. One of them is collecting ideas sooner rather than later and trying to make sure there as detailed as possible, including what the deliverables are of the project and any ideas of how it should be implemented. If you don't have a Wiki account feel free to email me with your ideas and I'll add it to the page on your behalf. If we're accepted to the program this year, we can discuss the student selection process a bit more. But first lets get the ideas going. I can try being a mentor again. :) -Andrei -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] GSoC 2009
Add the bugtracker, and I can get round to finishing, unis been far too busy this year so far :-( On Fri, 23 Jan 2009 13:37:18 -0800, Andrei Zmievski and...@gravitonic.com wrote: Scott MacVicar wrote: Hi Everybody, It's almost that time again where we rush at the last minute to organise something for the Google Summer of Code, so in the interest of being prepared I'm thinking it's time to start collecting ideas for potential students. I've updated a few of the Wiki pages with some things relevant from the Mentor Summit I attended last year about the idea and applying process. One of them is collecting ideas sooner rather than later and trying to make sure there as detailed as possible, including what the deliverables are of the project and any ideas of how it should be implemented. If you don't have a Wiki account feel free to email me with your ideas and I'll add it to the page on your behalf. If we're accepted to the program this year, we can discuss the student selection process a bit more. But first lets get the ideas going. I can try being a mentor again. :) -Andrei -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Reserved namespaces
Forgive me if I've missed this in the heat of all the namespaces discussions. Did we consider having reserved namespaces, like 'PHP' or 'SPL', so that if a user tries to declare a namespace with that name an error is raised? -Andrei -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Reserved namespaces
Forgive me if I've missed this in the heat of all the namespaces discussions. Did we consider having reserved namespaces, like 'PHP' or 'SPL', so that if a user tries to declare a namespace with that name an error is raised? I'd say what you are looking for is probably this. http://wiki.php.net/rfc/namespaces-for-internal-classes I know this has been discussed but I'm not sure if any decision has been made on that subject. Or if anyone had time to start digging into this issue further than discussions. Lars? Cheers, -- Slan, David -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] GSoC 2009
On Fri, Jan 23, 2009 at 23:09, ba...@barrycarlyon.co.uk wrote: Add the bugtracker, and I can get round to finishing, unis been far too busy this year so far :-( Finishing what exactly? I'd like to add the bugtracker idea again.. but the last year bugtracker gsoc turned into something completely different and not at all usable for php.net. -Hannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Reserved namespaces
On Fri, Jan 23, 2009 at 23:14, Andrei Zmievski and...@gravitonic.com wrote: Forgive me if I've missed this in the heat of all the namespaces discussions. Did we consider having reserved namespaces, like 'PHP' or 'SPL', so that if a user tries to declare a namespace with that name an error is raised? I don't think we have to treat our users like a total fcking idiots. If anyone thinks using SPL or PHP as their root namespace is a good idea they deserve to be kicked in the nuts. -Hannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Reserved namespaces
Hannes Magnusson wrote: I don't think we have to treat our users like a total fcking idiots. If anyone thinks using SPL or PHP as their root namespace is a good idea they deserve to be kicked in the nuts. And who's going to administer this kicking? -Andrei -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Reserved namespaces
On 24.01.2009, at 00:49, Andrei Zmievski wrote: Hannes Magnusson wrote: I don't think we have to treat our users like a total fcking idiots. If anyone thinks using SPL or PHP as their root namespace is a good idea they deserve to be kicked in the nuts. And who's going to administer this kicking? I think the decision was to not yet bother with reserving namespaces or starting to namespace-ify extensions. We might however want to put out a naming guide for namespaces. regards, Lukas Kahwe Smith m...@pooteeweet.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Reserved namespaces
Lukas Kahwe Smith wrote: I think the decision was to not yet bother with reserving namespaces or starting to namespace-ify extensions. We might however want to put out a naming guide for namespaces. I agree. Whether the error is raised or not on reserved namespaces can be done later, but we should explicitly indicate that certain namespaces are off-limits. -Andrei -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Reserved namespaces
On Fri, Jan 23, 2009 at 03:58:22PM -0800, Andrei Zmievski wrote: Lukas Kahwe Smith wrote: I think the decision was to not yet bother with reserving namespaces or starting to namespace-ify extensions. We might however want to put out a naming guide for namespaces. I agree. Whether the error is raised or not on reserved namespaces can be done later, but we should explicitly indicate that certain namespaces are off-limits. Could take the simple convention that exists in perl with modules. Module names begin with a capital letter, pragmase are lower case, thus you have: use strict; use IO::File Nobody is made to do anything, however you loose the option to complain if your namespace starts with a lower case character. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php Past chairman of UKUUG: http://www.ukuug.org/ #include std_disclaimer.h -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] GSoC 2009
Hannes Magnusson schrieb: I'd like to add the bugtracker idea again.. but the last year bugtracker gsoc turned into something completely different and not at all usable for php.net. What is bugging me is the question whether we really need our own bugtracker software. -- Sebastian Bergmann http://sebastian-bergmann.de/ GnuPG Key: 0xB85B5D69 / 27A7 2B14 09E4 98CD 6277 0E5B 6867 C514 B85B 5D69 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php