Re: [PHP-DEV] PHP audit
I think their work is a good step that PHP needed for a while. I also think it's an ongoing project, and not a one-time pass. Looking at the patch, the vast majority of changes made don't actually fix bugs, but rather, implement the same code using 'defensive' techniques. E.g., use strlcpy() instead of strcpy(), even when strcpy() is safe; Or, use sizeof(foo) instead of a hardcoded number as an argument to snprintf(), in case the size of foo changes in the future. The only comment I have (after this short glance) is that I'd rather see sizeof(foo) instead of 'sizeof foo' (we don't need yet another style in our code base :), but otherwise, I think most of the patches should make it into the main tree. Zeev At 14:22 14/03/2002, Andrew Sitnikov wrote: Hello php-dev, What you think about this: http://phpaudit.42-networks.com/ Big size of patch does not bring pleasure Best regards, Andrew Sitnikov e-mail : [EMAIL PROTECTED] GSM: (+372) 56491109 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
Zeev Suraski wrote: I think their work is a good step that PHP needed for a while. I also think it's an ongoing project, and not a one-time pass. Looking at the patch, the vast majority of changes made don't actually fix bugs, but rather, implement the same code using 'defensive' techniques. E.g., use strlcpy() instead of strcpy(), even when strcpy() is safe; Or, use sizeof(foo) instead of a hardcoded number as an argument to snprintf(), in case the size of foo changes in the future. The only comment I have (after this short glance) is that I'd rather see sizeof(foo) instead of 'sizeof foo' (we don't need yet another style in our code base :), but otherwise, I think most of the patches should make it into the main tree. That's what I thought, too. I'm also suprised by the fact that there are so many magic numbers in php source ;) -- Yasuo Ohgaki Zeev At 14:22 14/03/2002, Andrew Sitnikov wrote: Hello php-dev, What you think about this: http://phpaudit.42-networks.com/ Big size of patch does not bring pleasure Best regards, Andrew Sitnikov e-mail : [EMAIL PROTECTED] GSM: (+372) 56491109 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] sizeof foo vs sizeof (foo) (Was Re: [PHP-DEV] PHP audit)
On 14/03/02, Zeev Suraski [EMAIL PROTECTED] wrote: The only comment I have (after this short glance) is that I'd rather see sizeof(foo) instead of 'sizeof foo' (we don't need yet another style in our code base :), I know of a compiler for the Amiga that doesn't grok 'sizeof struct foo'; the solution is to always use 'sizeof(struct foo)'. As for the audit project itself; it does sound like a good idea. --Wez. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
The only comment I have (after this short glance) is that I'd rather see sizeof(foo) instead of 'sizeof foo' No problem Zeev. All sizeof x (including those we didn't introduce) have just been replaced by sizeof(x) . We are now working on a CVS tree. If you want access to review or change things, just ask. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] sizeof foo vs sizeof (foo) (Was Re: [PHP-DEV] PHP audit)
On Thu, Mar 14, 2002 at 01:19:32PM +, Wez Furlong wrote: I know of a compiler for the Amiga that doesn't grok 'sizeof struct foo'; the solution is to always use 'sizeof(struct foo)'. sizeof type is incorrect. The correct sizeof semantics are sizeof value or: sizeof( type ) So sizeof (value) means to evaluate '(value)' whoose result is 'value', then compute 'sizeof value' . -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DEV] PHP audit
We are now working on a CVS tree. If you want access to review or change things, just ask. What's stopping you committing it to cvs.php.net ? James Cox -- James Cox :: [EMAIL PROTECTED] :: Landonize It! http://landonize.it/ Was I helpful? http://www.amazon.co.uk/exec/obidos/wishlist/23IVGHQ61RJGO/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
On Thu, Mar 14, 2002 at 01:34:06PM -, James Cox wrote: What's stopping you committing it to cvs.php.net ? It might be better to work on a separate tree, and later let PHP developpers merge what parts they want to. Or maybe we can work on cvs.php.net on a separate branch. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
JO It might be better to work on a separate tree, and later let PHP JO developpers merge what parts they want to. Why? Your patches then would bit-rot constantly and you would have to update it even that nothing changes, and risk introducing new bugs in transition. -- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/ +972-3-6139665 ext.115 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] sizeof foo vs sizeof (foo) (Was Re: [PHP-DEV] PHP audit)
We know :) And yet, we always use sizeof(), regardless of whether we feed it with a type or a value. Zeev At 15:34 14/03/2002, Jedi/Sector One wrote: On Thu, Mar 14, 2002 at 01:19:32PM +, Wez Furlong wrote: I know of a compiler for the Amiga that doesn't grok 'sizeof struct foo'; the solution is to always use 'sizeof(struct foo)'. sizeof type is incorrect. The correct sizeof semantics are sizeof value or: sizeof( type ) So sizeof (value) means to evaluate '(value)' whoose result is 'value', then compute 'sizeof value' . -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DEV] PHP audit
On Thu, Mar 14, 2002 at 01:34:06PM -, James Cox wrote: What's stopping you committing it to cvs.php.net ? It might be better to work on a separate tree, and later let PHP developpers merge what parts they want to. Or maybe we can work on cvs.php.net on a separate branch. Personally, i think it might be a good idea to cut a branch for it -- and merge to head bit by bit.. but looking at the patch i think it looks pretty good -- and is needed (imo). apply (if you haven't already) at http://www.php.net/cvs-php.php Thanks, James -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
On Thu, Mar 14, 2002 at 02:30:43PM +0059, Jedi/Sector One wrote : The only comment I have (after this short glance) is that I'd rather see sizeof(foo) instead of 'sizeof foo' No problem Zeev. All sizeof x (including those we didn't introduce) have just been replaced by sizeof(x) . We are now working on a CVS tree. If you want access to review or change things, just ask. Is there public access ? I'm interested in it too. - Markus -- Please always Cc to me when replying to me on the lists. GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DEV] PHP audit
http://phpaudit.42-networks.com/ -Original Message- From: Markus Fischer [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 1:43 PM To: Jedi/Sector One Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DEV] PHP audit On Thu, Mar 14, 2002 at 02:30:43PM +0059, Jedi/Sector One wrote : The only comment I have (after this short glance) is that I'd rather see sizeof(foo) instead of 'sizeof foo' No problem Zeev. All sizeof x (including those we didn't introduce) have just been replaced by sizeof(x) . We are now working on a CVS tree. If you want access to review or change things, just ask. Is there public access ? I'm interested in it too. - Markus -- Please always Cc to me when replying to me on the lists. GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
At 15:37 14/03/2002, Jedi/Sector One wrote: On Thu, Mar 14, 2002 at 01:34:06PM -, James Cox wrote: What's stopping you committing it to cvs.php.net ? It might be better to work on a separate tree, and later let PHP developpers merge what parts they want to. I think that most patches can be submitted to cvs.php.net directly. If there's something that you think is not a clear-cut patch, then it's best if you raise it first on php-dev, but I think that most patches can go in without further discussion... Andi's CVS police will usually catch things which are really really bad:) Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DEV] PHP audit
We decided not to use branches for development at all, only for releases... I think we should stick to it. Zeev At 15:41 14/03/2002, James Cox wrote: On Thu, Mar 14, 2002 at 01:34:06PM -, James Cox wrote: What's stopping you committing it to cvs.php.net ? It might be better to work on a separate tree, and later let PHP developpers merge what parts they want to. Or maybe we can work on cvs.php.net on a separate branch. Personally, i think it might be a good idea to cut a branch for it -- and merge to head bit by bit.. but looking at the patch i think it looks pretty good -- and is needed (imo). apply (if you haven't already) at http://www.php.net/cvs-php.php Thanks, James -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DEV] PHP audit
fair enough. :) -Original Message- From: Zeev Suraski [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 1:45 PM To: James Cox Cc: Jedi/Sector One; [EMAIL PROTECTED] Subject: RE: [PHP-DEV] PHP audit We decided not to use branches for development at all, only for releases... I think we should stick to it. Zeev At 15:41 14/03/2002, James Cox wrote: On Thu, Mar 14, 2002 at 01:34:06PM -, James Cox wrote: What's stopping you committing it to cvs.php.net ? It might be better to work on a separate tree, and later let PHP developpers merge what parts they want to. Or maybe we can work on cvs.php.net on a separate branch. Personally, i think it might be a good idea to cut a branch for it -- and merge to head bit by bit.. but looking at the patch i think it looks pretty good -- and is needed (imo). apply (if you haven't already) at http://www.php.net/cvs-php.php Thanks, James -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
On Thu, Mar 14, 2002 at 01:44:44PM -, James Cox wrote : http://phpaudit.42-networks.com/ I thought he was refering to CVS access to the current state of their patch. The websites doesn't list any such resource. - Markus -Original Message- From: Markus Fischer [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 1:43 PM To: Jedi/Sector One Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DEV] PHP audit On Thu, Mar 14, 2002 at 02:30:43PM +0059, Jedi/Sector One wrote : The only comment I have (after this short glance) is that I'd rather see sizeof(foo) instead of 'sizeof foo' No problem Zeev. All sizeof x (including those we didn't introduce) have just been replaced by sizeof(x) . We are now working on a CVS tree. If you want access to review or change things, just ask. Is there public access ? I'm interested in it too. - Markus -- Please always Cc to me when replying to me on the lists. GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- Please always Cc to me when replying to me on the lists. GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] sizeof foo vs sizeof (foo) (Was Re: [PHP-DEV] PHP audit)
On 14/03/02, Zeev Suraski [EMAIL PROTECTED] wrote: We know :) And yet, we always use sizeof(), regardless of whether we feed it with a type or a value. I meant to say that :) At 15:34 14/03/2002, Jedi/Sector One wrote: The correct sizeof semantics are sizeof value or: sizeof( type ) I didn't know that! (and how long have I been coding in C??). It's interesting that most compilers that I have used _can_ handle 'sizeof type'. --Wez. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
On Thu, Mar 14, 2002 at 02:53:27PM +0100, Markus Fischer wrote: I thought he was refering to CVS access to the current state of their patch. The websites doesn't list any such resource. The CVS was just installeda few minutes ago. There's no anonymous access yet. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
On Thu, 14 Mar 2002, Jedi/Sector One wrote: On Thu, Mar 14, 2002 at 02:53:27PM +0100, Markus Fischer wrote: I thought he was refering to CVS access to the current state of their patch. The websites doesn't list any such resource. The CVS was just installeda few minutes ago. There's no anonymous access yet. I'd reather see you work on the HEAD branch... that way it's tested much faster, and your patches are always up to date. Derick -- PHP: Scripting the Web - [EMAIL PROTECTED] All your branches are belong to me! SRM: Site Resource Manager - www.vl-srm.net --- -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
At 15:06 14/03/2002 +0100, [EMAIL PROTECTED] wrote: On Thu, 14 Mar 2002, Jedi/Sector One wrote: On Thu, Mar 14, 2002 at 02:53:27PM +0100, Markus Fischer wrote: I thought he was refering to CVS access to the current state of their patch. The websites doesn't list any such resource. The CVS was just installeda few minutes ago. There's no anonymous access yet. I'd reather see you work on the HEAD branch... that way it's tested much faster, and your patches are always up to date. Me too. I don't see much reason not to commit directly to PHP, at least the obvious patches. If there are any conceptual changes we should discuss them first. Andi -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
On Thu, Mar 14, 2002 at 05:10:38PM +0200, Andi Gutmans wrote: Me too. I don't see much reason not to commit directly to PHP, at least the obvious patches. If there are any conceptual changes we should discuss them first. Because we are working on version 4.1.2 right now. We will switch to -HEAD in 1-2 weeks. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit
At 16:16 14/03/2002 +0059, Jedi/Sector One wrote: On Thu, Mar 14, 2002 at 05:10:38PM +0200, Andi Gutmans wrote: Me too. I don't see much reason not to commit directly to PHP, at least the obvious patches. If there are any conceptual changes we should discuss them first. Because we are working on version 4.1.2 right now. We will switch to -HEAD in 1-2 weeks. Oh, I must have missed that detail :) Andi -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DEV] PHP audit
Hi, due to the fact that I now have a cvs account at the phpaudit project i am able to help on both sides. Of course we would like to have a secure head and 4_2_0 branch but it is understandable that fixing 4.1.2 is the primary goal of the project. First things comes first. Anyway during the next days i am going to look through the code of the HEAD again and will fix all the bugs I find. Additionally I am going to look through the phpaudit patch and commit all the stuff that is not breaking anything. Stefan PS: The 4.1.2 hardening patch will also be a solution for the people that encounter the crash bugs in the fileupload code. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit project
In addition to Zeev, Hey guys where is your problem if someone wants to infect php code with functions that increases stability of code? The last days i spent much work to get ext/exif working and many problems came from missuse of strxxx functions. Changing to functions like strlcpy makes the code much more stable and independent from exernal failures. And here again you cannot rely on the fact that you have read any standard about external stuff you are working on requirements/securisations of code not from yourself. Everything that comes from outside to php can be wrong and should be considered as such - this will also increase security against some server-attack mechanisms. And we are a large group doing an eXtreme developing - who knows exactly which function changes next day in which way? marcus At 14:31 11.03.2002, Zeev Suraski wrote: Frank, Don't be discouraged by the feedback here. Your efforts are well appreciated! You can choose to use whichever functions you deem best, as long as you're the one doing the work :) Zeev At 02:23 PM 3/11/2002, Jedi/Sector One wrote: On Mon, Mar 11, 2002 at 01:21:02PM +0100, Stefan Esser wrote: strlcpy and strlcat are inventions of the OpenBSD project. Since they invented those they are trying to infect other projects. PHP is already infected. Try to grep for strlcpy and strlcat in the _vanilla_ PHP source code. But that's ok. If you don't want us to work on PHP, let our project stop. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit project
On Mon, 11 Mar 2002, Jedi/Sector One wrote: The goal is to help the PHP developpement, not to keep the patches separate, only for OpenBSD. There are some OpenBSD enhancements, but they are all surrounded with #ifdef __OpenBSD__ . We don't want to break portability, nor to release something only for OpenBSD. The patches are there to be shared by everyone. FYI, I'm working on them on my Linux laptop. Are the strlcpy and strlcat functions (used in the patches) available on Linux? -\- David Eriksson -/- I personally refuse to use inferior tools because of ideology. - Linus Torvalds -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit project
On Mon, 11 Mar 2002, David Eriksson wrote: On Mon, 11 Mar 2002, Jedi/Sector One wrote: The goal is to help the PHP developpement, not to keep the patches separate, only for OpenBSD. There are some OpenBSD enhancements, but they are all surrounded with #ifdef __OpenBSD__ . We don't want to break portability, nor to release something only for OpenBSD. The patches are there to be shared by everyone. FYI, I'm working on them on my Linux laptop. Are the strlcpy and strlcat functions (used in the patches) available on Linux? [derick@kossu derick]$ man strlcpy No manual entry for strlcpy [derick@kossu derick]$ man strlcat No manual entry for strlcat Derick -\- David Eriksson -/- I personally refuse to use inferior tools because of ideology. - Linus Torvalds -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP: Scripting the Web - [EMAIL PROTECTED] All your branches are belong to me! SRM: Site Resource Manager - www.vl-srm.net --- -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit project
On Mon, Mar 11, 2002 at 01:17:07PM +0100, [EMAIL PROTECTED] wrote: Are the strlcpy and strlcat functions (used in the patches) available on Linux? [derick@kossu derick]$ man strlcpy No manual entry for strlcpy [derick@kossu derick]$ man strlcat No manual entry for strlcat PHP defines them if they don't exist. It's in main/strlcpy.c and main/strlcat.c -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit project
On Mon, Mar 11, 2002 at 01:21:02PM +0100, Stefan Esser wrote: strlcpy and strlcat are inventions of the OpenBSD project. Since they invented those they are trying to infect other projects. PHP is already infected. Try to grep for strlcpy and strlcat in the _vanilla_ PHP source code. But that's ok. If you don't want us to work on PHP, let our project stop. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit project
Hi, PHP is already infected. Sorry, my fault. I have overseen that. I just wanted to clearify what strlcat and strlcpy are. I dislike OpenBSD because of several reasons but this list is not the right place to discuss anything like this. But that's ok. If you don't want us to work on PHP, let our project stop. I don't have anything against you guys working on PHP. Four eyes do always see more than two and in the end i think our both interest is a secure PHP. Stefan -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit project
Frank, Don't be discouraged by the feedback here. Your efforts are well appreciated! You can choose to use whichever functions you deem best, as long as you're the one doing the work :) Zeev At 02:23 PM 3/11/2002, Jedi/Sector One wrote: On Mon, Mar 11, 2002 at 01:21:02PM +0100, Stefan Esser wrote: strlcpy and strlcat are inventions of the OpenBSD project. Since they invented those they are trying to infect other projects. PHP is already infected. Try to grep for strlcpy and strlcat in the _vanilla_ PHP source code. But that's ok. If you don't want us to work on PHP, let our project stop. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit project
At 13:21 11/03/2002 +0100, Stefan Esser wrote: Hi, strlcpy and strlcat are inventions of the OpenBSD project. Since they invented those they are trying to infect other projects. I added them to PHP a long time ago and I have nothing to do with the OpenBSD project. They are extremely useful functions and should be used instead of strcat()/strcpy(). In Zend we only use memcpy()/memcmp() but for many uses strlcpy()/strlcat() are sufficient. Andi -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP audit project
And as long as you don't use strncpy() Just kidding :) Andi At 15:31 11/03/2002 +0200, Zeev Suraski wrote: Frank, Don't be discouraged by the feedback here. Your efforts are well appreciated! You can choose to use whichever functions you deem best, as long as you're the one doing the work :) Zeev At 02:23 PM 3/11/2002, Jedi/Sector One wrote: On Mon, Mar 11, 2002 at 01:21:02PM +0100, Stefan Esser wrote: strlcpy and strlcat are inventions of the OpenBSD project. Since they invented those they are trying to infect other projects. PHP is already infected. Try to grep for strlcpy and strlcat in the _vanilla_ PHP source code. But that's ok. If you don't want us to work on PHP, let our project stop. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php