[PHP-DEV] Re: [php-maint] [PHP-DEV] CVE-2008-5658 unfixed or new problem with Zip::extractTo in 5.2.x?

2009-01-23 Thread sean finney 
hi again,

On Fri, Jan 23, 2009 at 08:23:59AM +0100, sean finney wrote:
 it's unfortunate that there isn't a more surgical fix (301 insertions!),
 but i'll take your word for it that it would be too complicated/dangerous
 to try and modify virtual_file_ex() directly.

actually, i think i've found a slightly more graceful workaround :)

since virtual_file_ex is to fragile to be changed, here's a patch that
does the following as a workaround:

- take a temporary copy of the filename
- replace all instances of ^../, /../, and /..$ with ///.
- pass this mangled filename to virtual_file_ex for normalization

it seems virtual_file_ex can handle such a filename without problem, and 
with proper formatting the current patch only inserts 22 lines to php_zip.c.
someone should probably double check this code for early-morning coding
errors though :)

what do you think?


sean
--- ext/zip/php_zip.c.orig  2009-01-23 08:29:32.0 +0100
+++ ext/zip/php_zip.c   2009-01-23 08:56:42.0 +0100
@@ -142,6 +142,9 @@
char *path_cleaned;
size_t path_cleaned_len;
cwd_state new_state;
+  char *tmp_file = NULL;
+  char *tmp_needle = NULL;
+  int virtual_ret = 0;
 
new_state.cwd = (char*)malloc(1);
new_state.cwd[0] = '\0';
@@ -150,7 +153,25 @@
/* Clean/normlize the path and then transform any path (absolute or 
relative)
 to a path relative to cwd (../../mydir/foo.txt  mydir/foo.txt)
 */
-   virtual_file_ex(new_state, file, NULL, CWD_EXPAND);
+  tmp_file = strdup(file); 
+  while (tmp_needle=strstr(tmp_file, /../))
+  {
+*(tmp_needle+1)=*(tmp_needle+2)='/';
+  }
+  if (strncmp(tmp_file, .., 2) == 0  (file_len == 2 || tmp_file[2] == '/'))
+  {
+tmp_file[0]=tmp_file[1]='/';
+  }
+  if (file_len  3  strncmp(tmp_file[file_len-2], .., 2) == 0) 
+  {
+tmp_file[file_len-1]=tmp_file[file_len-2]='/';
+  }
+   virtual_ret = virtual_file_ex(new_state, tmp_file, NULL, CWD_EXPAND);
+  free(tmp_file);
+  if (virtual_ret == 1) 
+  {
+return 0;
+  }
path_cleaned =  php_zip_make_relative_path(new_state.cwd, 
new_state.cwd_length);
path_cleaned_len = strlen(path_cleaned);
 


signature.asc
Description: Digital signature

Re: [PHP-DEV] New function proposal: spl_object_id

2009-01-23 Thread Oskar Eisemuth 

Hello

My usage for spl_object_id wouldn't be solved with SplObjectStorage,
here is my current event handler (it uses spl_object_hash)
I still have the plan to replace it with something better but it simply works,
currently it's not possible to free an object.

EVENT::register accepts a static class or object instance.


class EVENT {
   private static $events = array();

   public static function register($event, $obj, $method) {
   if (!isset( self::$events[$event])) self::$events[$event] = array();
  
   if (is_object($obj)) {

   $hash = spl_object_hash($obj);
   } else {
   $hash = $obj;
   }
   self::$events[$event][$hash] = array($obj, $method);
   }

   public static function fire($event, $eventData = null) {
   if (isset(self::$events[$event])) {
   foreach(self::$events[$event] as $callable)
   {
   call_user_func_array($callable, array($eventData));
   }
   }
   }
}

So spl_object_id would be a nice...

Best regards
Oskar Eisemuth


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] GSoC 2009

2009-01-23 Thread Andrei Zmievski 

Scott MacVicar wrote:

Hi Everybody,

It's almost that time again where we rush at the last minute to organise 
something for the Google Summer of Code, so in the interest of being 
prepared I'm thinking it's time to start collecting ideas for potential 
students. I've updated a few of the Wiki pages with some things relevant 
from the Mentor Summit I attended last year about the idea and applying 
process.


One of them is collecting ideas sooner rather than later and trying to 
make sure there as detailed as possible, including what the deliverables 
are of the project and any ideas of how it should be implemented. If you 
don't have a Wiki account feel free to email me with your ideas and I'll 
add it to the page on your behalf.


If we're accepted to the program this year, we can discuss the student 
selection process a bit more. But first lets get the ideas going.


I can try being a mentor again. :)

-Andrei

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] GSoC 2009

2009-01-23 Thread barry 
Add the bugtracker, and I can get round to finishing, unis been far too
busy this year so far :-(

On Fri, 23 Jan 2009 13:37:18 -0800, Andrei Zmievski and...@gravitonic.com
wrote:
 Scott MacVicar wrote:
 Hi Everybody,

 It's almost that time again where we rush at the last minute to organise
 something for the Google Summer of Code, so in the interest of being
 prepared I'm thinking it's time to start collecting ideas for potential
 students. I've updated a few of the Wiki pages with some things relevant
 from the Mentor Summit I attended last year about the idea and applying
 process.

 One of them is collecting ideas sooner rather than later and trying to
 make sure there as detailed as possible, including what the deliverables
 are of the project and any ideas of how it should be implemented. If you
 don't have a Wiki account feel free to email me with your ideas and I'll
 add it to the page on your behalf.

 If we're accepted to the program this year, we can discuss the student
 selection process a bit more. But first lets get the ideas going.
 
 I can try being a mentor again. :)
 
 -Andrei
 
 --
 PHP Internals - PHP Runtime Development Mailing List
 To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Reserved namespaces

2009-01-23 Thread Andrei Zmievski 
Forgive me if I've missed this in the heat of all the namespaces discussions. Did we 
consider having reserved namespaces, like 'PHP' or 'SPL', so that if a user tries to 
declare a namespace with that name an error is raised?


-Andrei

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Reserved namespaces

2009-01-23 Thread David Coallier 
 Forgive me if I've missed this in the heat of all the namespaces
 discussions. Did we consider having reserved namespaces, like 'PHP' or
 'SPL', so that if a user tries to declare a namespace with that name an
 error is raised?

I'd say what you are looking for is probably this.
http://wiki.php.net/rfc/namespaces-for-internal-classes

I know this has been discussed but I'm not sure if any decision has
been made on that subject. Or if anyone had time to start digging into
this issue further than discussions. Lars?

Cheers,

-- 
Slan,
David

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] GSoC 2009

2009-01-23 Thread Hannes Magnusson 
On Fri, Jan 23, 2009 at 23:09,  ba...@barrycarlyon.co.uk wrote:
 Add the bugtracker, and I can get round to finishing, unis been far too
 busy this year so far :-(


Finishing what exactly?

I'd like to add the bugtracker idea again.. but the last year
bugtracker gsoc turned into something completely different and not at
all usable for php.net.

-Hannes

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Reserved namespaces

2009-01-23 Thread Hannes Magnusson 
On Fri, Jan 23, 2009 at 23:14, Andrei Zmievski and...@gravitonic.com wrote:
 Forgive me if I've missed this in the heat of all the namespaces
 discussions. Did we consider having reserved namespaces, like 'PHP' or
 'SPL', so that if a user tries to declare a namespace with that name an
 error is raised?

I don't think we have to treat our users like a total fcking idiots.
If anyone thinks using SPL or PHP as their root namespace is a
good idea they deserve to be kicked in the nuts.

-Hannes

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Reserved namespaces

2009-01-23 Thread Andrei Zmievski 

Hannes Magnusson wrote:

I don't think we have to treat our users like a total fcking idiots.
If anyone thinks using SPL or PHP as their root namespace is a
good idea they deserve to be kicked in the nuts.


And who's going to administer this kicking?

-Andrei

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Reserved namespaces

2009-01-23 Thread Lukas Kahwe Smith 


On 24.01.2009, at 00:49, Andrei Zmievski wrote:


Hannes Magnusson wrote:

I don't think we have to treat our users like a total fcking idiots.
If anyone thinks using SPL or PHP as their root namespace is a
good idea they deserve to be kicked in the nuts.


And who's going to administer this kicking?



I think the decision was to not yet bother with reserving namespaces  
or starting to namespace-ify extensions. We might however want to put  
out a naming guide for namespaces.


regards,
Lukas Kahwe Smith
m...@pooteeweet.org




--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Reserved namespaces

2009-01-23 Thread Andrei Zmievski 

Lukas Kahwe Smith wrote:
I think the decision was to not yet bother with reserving namespaces or 
starting to namespace-ify extensions. We might however want to put out a 
naming guide for namespaces.


I agree. Whether the error is raised or not on reserved namespaces can be done later, but 
we should explicitly indicate that certain namespaces are off-limits.


-Andrei

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Reserved namespaces

2009-01-23 Thread Alain Williams 
On Fri, Jan 23, 2009 at 03:58:22PM -0800, Andrei Zmievski wrote:
 Lukas Kahwe Smith wrote:
 I think the decision was to not yet bother with reserving namespaces or 
 starting to namespace-ify extensions. We might however want to put out a 
 naming guide for namespaces.
 
 I agree. Whether the error is raised or not on reserved namespaces can be 
 done later, but we should explicitly indicate that certain namespaces are 
 off-limits.

Could take the simple convention that exists in perl with modules.

Module names begin with a capital letter, pragmase are lower case, thus you 
have:

use strict;

use IO::File

Nobody is made to do anything, however you loose the option to complain if your
namespace starts with a lower case character.

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: 
http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include std_disclaimer.h

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] GSoC 2009

2009-01-23 Thread Sebastian Bergmann 
Hannes Magnusson schrieb:
 I'd like to add the bugtracker idea again.. but the last year
 bugtracker gsoc turned into something completely different and not at
 all usable for php.net.

 What is bugging me is the question whether we really need our own
 bugtracker software.

-- 
Sebastian Bergmann  http://sebastian-bergmann.de/
GnuPG Key: 0xB85B5D69 / 27A7 2B14 09E4 98CD 6277 0E5B 6867 C514 B85B 5D69


-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php