Re: [PHP-DEV] Fix for wordwrap()

2003-03-06 Thread Jedi/Sector One 
On Thu, Mar 06, 2003 at 09:53:22AM -0500, Ilia A. wrote:
> you are hardcoding the 'break' as ' ',
> meaning that no other character is considered a space hence

  The documentation states that 'break' is what is used to break lines, not
what is considered a space. 

  Simple try with PHP 4.3.1 :
  
$a = "w\nphprules\nw";
print wordwrap($a, 10, '', 10);

  Output :
  
w
phprules
w

  Looks buggy to me.
  

-- 
PHP Development Mailing List 
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Fix for wordwrap()

2003-03-06 Thread Jedi/Sector One 
  Hello.
  
  Maybe this is the intended behavior, but wordwrap()'s behavior is a bit
illogical on PHP 4.3.1, as it does only break after a plain whitespace, not
after punctuation, \n, etc.

  Here's a trivial sample :
  
$a = "ww\nphprules\nw";
print wordwrap($a, 10, ' ', 10);

  Output :
  
ww 
p hprules
ww ww w

  The following trivial patch makes wordwrap() wrap after any
non-alphanumeric charater. Output after application of that patch :

ww  phprules ww www

  Best regards,
  
   -Frank.
--- php-4.3.1/ext/standard/string.c 2002-12-27 04:22:20.0 +0100
+++ php-4.3.1-jedi/ext/standard/string.c2003-03-06 12:41:46.0 +0100
@@ -654,7 +654,7 @@
for (current = 0; current < textlen; current++) {
if (text[current] == breakchar[0]) {
laststart = lastspace = current;
-   } else if (text[current] == ' ') {
+   } else if (!isalnum((unsigned char) text[current])) {
if (current - laststart >= linelength) {
newtext[current] = breakchar[0];
laststart = current;
@@ -701,7 +701,7 @@
}
/* if it is a space, check if it is at the line boundary,
 * copy and insert a break, or just keep track of it */
-   else if (text[current] == ' ') {
+   else if (!isalnum((unsigned char) text[current])) {
if (current - laststart >= linelength) {
memcpy(newtext+newtextlen, text+laststart, 
current-laststart);
newtextlen += current - laststart;

-- 
PHP Development Mailing List 
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Thread Reading

2002-09-19 Thread Jedi/Sector One 

On Thu, Sep 19, 2002 at 01:56:03PM -0400, [EMAIL PROTECTED] wrote:
> This is a security standard that is already inherent in the current phps
> version.  It is also not the job of PHP to save people from themselves.

  And sensitive cleartext data like SQL passwords can always be passed
through environment variables. For instance, Apache has the 'Setenv'
directive to set this, and the httpd.conf file can be made only readable by
root.

  That way, publishing the source code doesn't reveal anything.

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\  __
 \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' /
  \/  http://www.Jedi.Claranet.Fr/";> Misc. free software   \/



msg42034/pgp0.pgp
Description: PGP signature

Re: [PHP-DEV] Re: Suggestion about native DB support.

2002-06-21 Thread Jedi/Sector One 

On Fri, Jun 21, 2002 at 10:37:15AM -0300, Garland foster wrote:
> What about the native DBM support? Nobody answered that part.

  And what about SQLite? Porting existing PHP scripts (designed for MySQL or
PostgreSQL) to SQLite is easy.

-- 
 __  /*-  Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\  __
 \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' /
  \/  http://www.Jedi.Claranet.Fr/";> Misc. free software   \/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Jedi/Sector One 

On Thu, Mar 14, 2002 at 05:10:38PM +0200, Andi Gutmans wrote:
> Me too. I don't see much reason not to commit directly to PHP, at least the 
> obvious patches. If there are any conceptual changes we should discuss them 
> first.

  Because we are working on version 4.1.2 right now. We will switch to -HEAD
in 1-2 weeks.

-- 
 __  /*-  Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\  __
 \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' /
  \/  http://www.Jedi.Claranet.Fr/";> Misc. free software   \/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Jedi/Sector One 

On Thu, Mar 14, 2002 at 02:53:27PM +0100, Markus Fischer wrote:
> I thought he was refering to CVS access to the current state
> of their patch. The websites doesn't list any such resource.

  The CVS was just installeda few minutes ago. There's no anonymous access
yet.

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\  __
 \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' /
  \/  http://www.Jedi.Claranet.Fr/";> Misc. free software   \/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Jedi/Sector One 

On Thu, Mar 14, 2002 at 01:34:06PM -, James Cox wrote:
> What's stopping you committing it to cvs.php.net ?

  It might be better to work on a separate tree, and later let PHP developpers
merge what parts they want to.

  Or maybe we can work on cvs.php.net on a separate branch.
  
-- 
 __  /*-  Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\  __
 \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' /
  \/  http://www.Jedi.Claranet.Fr/";> Misc. free software   \/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] sizeof foo vs sizeof (foo) (Was Re: [PHP-DEV] PHP audit)

2002-03-14 Thread Jedi/Sector One 

On Thu, Mar 14, 2002 at 01:19:32PM +, Wez Furlong wrote:
> I know of a compiler for the Amiga that doesn't grok 'sizeof struct foo';
> the solution is to always use 'sizeof(struct foo)'.

  sizeof  is incorrect.
  
  The correct sizeof semantics are
  
  sizeof   
  or:  
  sizeof(  )
  
  So sizeof () means to evaluate '()' whoose result is
'', then compute 'sizeof ' .

-- 
 __  /*-  Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\  __
 \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' /
  \/  http://www.Jedi.Claranet.Fr/";> Misc. free software   \/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Jedi/Sector One 

>The only comment I have (after this short glance) is that I'd rather see 
>sizeof(foo) instead of 'sizeof foo'

  No problem Zeev. All sizeof x (including those we didn't introduce) have
just been replaced by sizeof(x) .

  We are now working on a CVS tree. If you want access to review or change
things, just ask.

-- 
 __  /*-  Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\  __
 \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' /
  \/  http://www.Jedi.Claranet.Fr/";> Misc. free software   \/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread Jedi/Sector One 

On Mon, Mar 11, 2002 at 01:43:40PM +0100, Stefan Esser wrote:
> Sorry, my fault. I have overseen that. I just wanted to clearify what
> strlcat and strlcpy are.

  strlcpy and strlcat are quick and dirty band aids against buffer
overflows. They suck because if a string is truncated, other bad things can
happen. These functions don't replace proper error handling. But once again,
we just started the project, and this is a first step. Real fixes (without
strl*) will come later.

> I dislike OpenBSD because of several reasons but this list
> is not the right place to discuss anything like this.

  Every operating system has strenghts and weakness.  is the best one because you know it very well, you feel confortable
with it, and it fits your needs. OS wars are plenty stupid, especially in
the opensource world.

-- 
 __  /*-  Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\  __
 \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' /
  \/  http://www.Jedi.Claranet.Fr/";> Misc. free software   \/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread Jedi/Sector One 

On Mon, Mar 11, 2002 at 01:21:02PM +0100, Stefan Esser wrote:
> strlcpy and strlcat are inventions of the OpenBSD project. Since they
> invented
> those they are trying to "infect" other projects.

  PHP is already infected.
  
  Try to grep for strlcpy and strlcat in the _vanilla_ PHP source code.

  But that's ok. If you don't want us to work on PHP, let our project stop.
  
-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\  __
 \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' /
  \/  http://www.Jedi.Claranet.Fr/";> Misc. free software   \/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread Jedi/Sector One 

On Mon, Mar 11, 2002 at 01:17:07PM +0100, [EMAIL PROTECTED] wrote:
> > Are the strlcpy and strlcat functions (used in the patches) available on
> > Linux?
> [derick@kossu derick]$ man strlcpy
> No manual entry for strlcpy
> [derick@kossu derick]$ man strlcat
> No manual entry for strlcat

  PHP defines them if they don't exist. It's in main/strlcpy.c and
main/strlcat.c 

-- 
 __  /*-  Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\  __
 \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' /
  \/  http://www.Jedi.Claranet.Fr/";> Misc. free software   \/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] PHP audit project

2002-03-11 Thread Jedi/Sector One 

   Hello.
   
  This is Frank from the PHP audit project.
  Here are some clarifications.
  
  We are working on PHP 4.1.2 because we want to quickly release a patch
with basic hardening. Because of the recent vulnerabilities discovered by
Stefan, chances are that a lot of kiddies are also auditing the source code
with other goals. So we want to release something against the current stable
release in order to decrease the chances of new immediate exploits.

  We just have started the work. There are still plenty of things to be
done. As our patches are moving targets and as we don't have a CVS server to
work with, things aren't splitted in multiple simple patches yet. But as
soon as the 4.1.2 audit will be completed, we will split up everything as
small patches in order to submit them to PHP developpers. Then we will work
on -HEAD.

  The goal is to help the PHP developpement, not to keep the patches
separate, only for OpenBSD. There are some OpenBSD enhancements, but they
are all surrounded with #ifdef __OpenBSD__ . We don't want to break
portability, nor to release something only for OpenBSD. The patches are
there to be shared by everyone. FYI, I'm working on them on my Linux laptop.

  The PHP source code is great. We didn't find really bad things so far.
There are suspicious parts, but we don't have verified that they really are
vulnerable, because we only are at stage 1 of the audit, and we didn't
review these parts in their global context. If we verify a flaw, we _will_
immediately let you know.

  Best regards,
  
 -Frank.
     
-- 
 __  /*-  Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\  __
 \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' /
  \/  http://www.Jedi.Claranet.Fr/";> Misc. free software   \/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php