[PHP-BUG] Bug #62789 [NEW]: Autoloaders are invoked with invalid class names
From: drak at zikula dot org Operating system: PHP version: 5.3.15 Package: SPL related Bug Type: Bug Bug description:Autoloaders are invoked with invalid class names Description: It is possible to invoke class autoloaders with invalid class names leading to potential security issues. Classes can contain alphaumeric, underscore and backslash characters. However, code like: $foo = new $class where $class might contain any arbitrary string will cause the autoloader stack to be called even if the $class variable contained invalid characters for a class name. This could lead to various file inclusion issues as detailed in http://drak3.devmx.de/blog/2012/08/08/autoloaded-remote-file-inclusion/ However, it is not reasonable for classloaders to validate the class name passed to it via PHP for valid classname characters. Doing so would be an incredible burden on performance ever increasing with the size of the autoloader stack. I suggest that PHP validate the characters of the class before deciding to call the autoloader stack or not. -- Edit bug report at https://bugs.php.net/bug.php?id=62789edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=62789r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=62789r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=62789r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=62789r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=62789r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=62789r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=62789r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=62789r=needscript Try newer version: https://bugs.php.net/fix.php?id=62789r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=62789r=support Expected behavior: https://bugs.php.net/fix.php?id=62789r=notwrong Not enough info: https://bugs.php.net/fix.php?id=62789r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=62789r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=62789r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=62789r=php4 Daylight Savings:https://bugs.php.net/fix.php?id=62789r=dst IIS Stability: https://bugs.php.net/fix.php?id=62789r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=62789r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=62789r=float No Zend Extensions: https://bugs.php.net/fix.php?id=62789r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=62789r=mysqlcfg
Bug #61172 [Opn]: With Apache 2.4.1, ./configure fails on APXS but stops only on the MySQL check.
Edit report at https://bugs.php.net/bug.php?id=61172edit=1 ID: 61172 Updated by: d...@php.net Reported by:antoine dot bajolet at tdf dot fr Summary:With Apache 2.4.1, ./configure fails on APXS but stops only on the MySQL check. Status: Open Type: Bug Package:Compile Failure Operating System: Linux 3.2.6 glibc 2.11.3 PHP Version:5.3.10 Block user comment: N Private report: N New Comment: The patch also works for me too, +1 for getting this into the trunk and 5.3 branches. Previous Comments: [2012-02-28 22:57:33] s...@php.net The following patch has been added/updated: Patch Name: bug61172.patch.txt Revision: 1330469853 URL: https://bugs.php.net/patch-display.php?bug=61172patch=bug61172.patch.txtrevision=1330469853 [2012-02-24 19:20:04] s...@php.net The following patch has been added/updated: Patch Name: bug61172.patch.txt Revision: 1330111204 URL: https://bugs.php.net/patch-display.php?bug=61172patch=bug61172.patch.txtrevision=1330111204 [2012-02-24 15:12:05] jpa...@php.net Same problem here, apxs -q doesn't handle MPM anymore because of DSOs MPM in Apache 2.4, I get a ZTS PHP at final whatever happens (no errors) The patch works fine, I suggest we merge it to 5.3 and 5.4 branches [2012-02-24 06:11:08] antoine dot bajolet at tdf dot fr The patch works fine, thanks. PHP compiles to the end. (Note I didn't change anything about mysql and i have no configure failure anymore). Regards, AB [2012-02-24 00:49:37] s...@php.net Try the attached patch: patch bug61172.patch.txt rm configure config.cache autom4ate.* ./buildconf --force ./configure The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61172 -- Edit this bug report at https://bugs.php.net/bug.php?id=61172edit=1
[PHP-BUG] Bug #60640 [NEW]: Invalid return values
From: Operating system: PHP version: 5.4.0RC4 Package: Session related Bug Type: Bug Bug description:Invalid return values Description: According to the documentation at http://www.php.net/manual/en/class.sessionhandler.php the various methods return 0 for success and 1 for failure which is kind of backwards since 0 would normally be evaluated as false and 1 as true. This is in direct contradiction with the current expected behaviour of session_set_save_handler() http://www.php.net/manual/en/function.session-set-save-handler.php which expects true or false return values except for the read handler which should always return a string. What's the deal here? I think the return values really should be true and false for this class, as expected by session_set_save_handler() Expected result: I would expect the methods of SessionHandler class to return back true or false for all methods except read() which should return a string, as expected by the session_set_save_handler() -- Edit bug report at https://bugs.php.net/bug.php?id=60640edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=60640r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=60640r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=60640r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=60640r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=60640r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=60640r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=60640r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=60640r=needscript Try newer version: https://bugs.php.net/fix.php?id=60640r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=60640r=support Expected behavior: https://bugs.php.net/fix.php?id=60640r=notwrong Not enough info: https://bugs.php.net/fix.php?id=60640r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=60640r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=60640r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=60640r=php4 Daylight Savings:https://bugs.php.net/fix.php?id=60640r=dst IIS Stability: https://bugs.php.net/fix.php?id=60640r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=60640r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=60640r=float No Zend Extensions: https://bugs.php.net/fix.php?id=60640r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=60640r=mysqlcfg