[PHP-DOC] #41112 [NEW]: Numbering used for PHP documentation TOC
From: uttam at hotpop dot com Operating system: Irrelavant PHP version: Irrelevant PHP Bug Type: Documentation problem Bug description: Numbering used for PHP documentation TOC Description: Hi, This is regarding the numbering system followed in Table of Contents for PHP English documentation (http://www.php.net/manual/en/). The are nine top-level sections, numbered using roman numbering as follows: I. Getting Started II. Installation and Reference III. . . IX. Appendices The second-level section for the first five sections use contnuous decimal numbering as follows: I. Getting Started 1. Introduction 2. A simple tutorial II. Installation and Configuration 3. General Installation Considerations 4. Installation on Unix systems 5. Installation on Mac OS X 6. Installation on Windows systems 7. Installation of PECL extensions 8. Problems? 9. Runtime Configuration . . However, the sub-sections of section V (Function Reference) use roman numbering again: . . VI. Function Reference I. .NET Functions II. Apache-specific Functions III. Alternative PHP Cache IV. Advanced PHP debugger . . CLXXXVI. Zip File Functions CLXXXVII. Zlib Compression Functions . . From the VII section, the sub-section are again numbered using decimal numbering, with the number continuing from section V: VII. PHP and Zend Engine Internals 44. Streams API for PHP Extension Authors 45. PDO Driver How-To . . I can't see the logic behind such numbering. Ideally, the sub-section under each top-level section should use decimal numbering, which starts from 1 under each section, i.e. the numbering should be as follows: I. Getting Started 1. Introduction 2. A simple tutorial II. Installation and Configuration 1. General Installation Considerations 2. Installation on Unix systems 3. Installation on Mac OS X 4. Installation on Windows systems 5. Installation of PECL extensions 6. Problems? 7. Runtime Configuration III. Language Reference 1. Basic syntax 2. Types 3. Variables 4. Constants 5. Expressions 6. Operators 7. Control Structures 8. Functions 9. Classes and Objects (PHP 4) 10. Classes and Objects (PHP 5) 11. Exceptions 12. References Explained . . Also, because of the roman numbering used for the section VI (Function Reference) and the large number of sub-sections, the alignment of the sub-section names w.r.t. left edge keeps varying continuously: I. .NET Functions II. Apache-specific Functions III. Alternative PHP Cache IV. Advanced PHP debugger V. Array Functions VI. Aspell functions [deprecated] VII. BCMath Arbitrary Precision Mathematics Functions VIII. PHP bytecode Compiler IX. Bzip2 Compression Functions X. Calendar Functions XI. CCVS API Functions [deprecated] XII. Class/Object Functions . . CL. SimpleXML functions CLI. SNMP Functions CLII. SOAP Functions CLIII. Socket Functions CLIV. Standard PHP Library (SPL) Functions CLV. SQLite Functions CLVI. SQLite Functions (PDO_SQLITE) CLVII. Secure Shell2 Functions CLVIII. Statistics Functions CLIX. Stream Functions CLX. String Functions CLXI. Shockwave Flash Functions CLXII. Swish Functions CLXIII. Sybase Functions CLXIV. TCP Wrappers Functions CLXV. Tidy Functions CLXVI. Tokenizer Functions CLXVII. Unicode Functions CLXVIII. URL Functions CLXIX. Variable Handling Functions CLXX. Verisign Payflow Pro Functions CLXXI. vpopmail Functions CLXXII. W32api Functions CLXXIII. WDDX Functions CLXXIV. win32ps Functions CLXXV. win32service Functions CLXXVI. xattr Functions CLXXVII. xdiff Functions CLXXVIII. XML Parser Functions CLXXIX. XML-RPC Functions CLXXX. XMLReader functions CLXXXI. XMLWriter Functions CLXXXII. XSL functions CLXXXIII. XSLT Functions CLXXXIV. YAZ Functions CLXXXV. YP/NIS Functions CLXXXVI. Zip File Functions CLXXXVII. Zlib Compression Functions For a more logical numbering scheme, I suggest that: 1. All the sub-sections be numbered using decimal numbers. 2. The numbering should restart with change in top-level section. 3. Appendices may retain the current alphabetical numbering. Thanks Regards, Uttam Shukla India Expected result: I would expect a Table of Contents like this: I. Getting Started 1. Introduction 2. A simple tutorial II. Installation and Configuration 1. General Installation Considerations 2. Installation on Unix systems 3. Installation on Mac OS X 4. Installation on Windows systems 5. Installation of PECL extensions 6. Problems? 7. Runtime Configuration III. Language Reference 1. Basic syntax 2. Types 3. Variables 4. Constants 5. Expressions 6. Operators 7. Control Structures 8. Functions 9. Classes and Objects (PHP 4) 10. Classes and Objects (PHP 5) 11. Exceptions 12. References Explained . . VI. Function Reference 1. .NET Functions 2. Apache-specific Functions 3. Alternative PHP Cache 4. Advanced PHP debugger 5. Array Functions 6. Aspell functions [deprecated]
[PHP-DOC] #41112 [Opn-Asn]: Numbering used for PHP documentation TOC
ID: 41112 Updated by: [EMAIL PROTECTED] Reported By: uttam at hotpop dot com -Status: Open +Status: Assigned Bug Type: Documentation problem Operating System: Irrelavant PHP Version: Irrelevant -Assigned To: +Assigned To: bjori New Comment: You have a good point there. I'll look into it Previous Comments: [2007-04-17 07:05:16] uttam at hotpop dot com Description: Hi, This is regarding the numbering system followed in Table of Contents for PHP English documentation (http://www.php.net/manual/en/). The are nine top-level sections, numbered using roman numbering as follows: I. Getting Started II. Installation and Reference III. . . IX. Appendices The second-level section for the first five sections use contnuous decimal numbering as follows: I. Getting Started 1. Introduction 2. A simple tutorial II. Installation and Configuration 3. General Installation Considerations 4. Installation on Unix systems 5. Installation on Mac OS X 6. Installation on Windows systems 7. Installation of PECL extensions 8. Problems? 9. Runtime Configuration . . However, the sub-sections of section V (Function Reference) use roman numbering again: . . VI. Function Reference I. .NET Functions II. Apache-specific Functions III. Alternative PHP Cache IV. Advanced PHP debugger . . CLXXXVI. Zip File Functions CLXXXVII. Zlib Compression Functions . . From the VII section, the sub-section are again numbered using decimal numbering, with the number continuing from section V: VII. PHP and Zend Engine Internals 44. Streams API for PHP Extension Authors 45. PDO Driver How-To . . I can't see the logic behind such numbering. Ideally, the sub-section under each top-level section should use decimal numbering, which starts from 1 under each section, i.e. the numbering should be as follows: I. Getting Started 1. Introduction 2. A simple tutorial II. Installation and Configuration 1. General Installation Considerations 2. Installation on Unix systems 3. Installation on Mac OS X 4. Installation on Windows systems 5. Installation of PECL extensions 6. Problems? 7. Runtime Configuration III. Language Reference 1. Basic syntax 2. Types 3. Variables 4. Constants 5. Expressions 6. Operators 7. Control Structures 8. Functions 9. Classes and Objects (PHP 4) 10. Classes and Objects (PHP 5) 11. Exceptions 12. References Explained . . Also, because of the roman numbering used for the section VI (Function Reference) and the large number of sub-sections, the alignment of the sub-section names w.r.t. left edge keeps varying continuously: I. .NET Functions II. Apache-specific Functions III. Alternative PHP Cache IV. Advanced PHP debugger V. Array Functions VI. Aspell functions [deprecated] VII. BCMath Arbitrary Precision Mathematics Functions VIII. PHP bytecode Compiler IX. Bzip2 Compression Functions X. Calendar Functions XI. CCVS API Functions [deprecated] XII. Class/Object Functions . . CL. SimpleXML functions CLI. SNMP Functions CLII. SOAP Functions CLIII. Socket Functions CLIV. Standard PHP Library (SPL) Functions CLV. SQLite Functions CLVI. SQLite Functions (PDO_SQLITE) CLVII. Secure Shell2 Functions CLVIII. Statistics Functions CLIX. Stream Functions CLX. String Functions CLXI. Shockwave Flash Functions CLXII. Swish Functions CLXIII. Sybase Functions CLXIV. TCP Wrappers Functions CLXV. Tidy Functions CLXVI. Tokenizer Functions CLXVII. Unicode Functions CLXVIII. URL Functions CLXIX. Variable Handling Functions CLXX. Verisign Payflow Pro Functions CLXXI. vpopmail Functions CLXXII. W32api Functions CLXXIII. WDDX Functions CLXXIV. win32ps Functions CLXXV. win32service Functions CLXXVI. xattr Functions CLXXVII. xdiff Functions CLXXVIII. XML Parser Functions CLXXIX. XML-RPC Functions CLXXX. XMLReader functions CLXXXI. XMLWriter Functions CLXXXII. XSL functions CLXXXIII. XSLT Functions CLXXXIV. YAZ Functions CLXXXV. YP/NIS Functions CLXXXVI. Zip File Functions CLXXXVII. Zlib Compression Functions For a more logical numbering scheme, I suggest that: 1. All the sub-sections be numbered using decimal numbers. 2. The numbering should restart with change in top-level section. 3. Appendices may retain the current alphabetical numbering. Thanks Regards, Uttam Shukla India Expected result: I would expect a Table of Contents like this: I. Getting Started 1. Introduction 2. A simple tutorial II. Installation and Configuration 1. General Installation Considerations 2. Installation on Unix systems 3. Installation on Mac OS X 4. Installation on Windows systems 5. Installation of PECL extensions 6. Problems? 7. Runtime Configuration III. Language Reference 1. Basic syntax 2. Types 3. Variables 4. Constants 5. Expressions 6. Operators 7. Control Structures 8.
[PHP-DOC] #41122 [NEW]: Incorrect resource type names for resources: fsockopen(), pfsockopen(), popen()
From: mahesh dot vemula at in dot ibm dot com Operating system: RHEL 4 PHP version: Irrelevant PHP Bug Type: Documentation problem Bug description: Incorrect resource type names for resources: fsockopen(), pfsockopen(), popen() Description: fsockopen, pfsockopen, popen, and opendir functions use streams layer Implementation. So, the resources created by these functions are of stream type. But PHP5 documentation shows the resource type names different in http://in2.php.net/manual/en/resource.php Updation in this regard at http://in2.php.net/manual/en/resource.php is required. The Resource type name column should be modified to stream for functions: fsockopen(), pfsockopen(), popen() and opendir() Below code confirms that the resources created by fopen, fsockopen, pfsockopen, popen, and opendir functions are of stream type. Environment: Operating System: RHEL 4 Linux Kernel : Linux 2.6.9 PHP Version: PHP 5.2 (Built on Apr 17, 2007 from snaps.php.net) PHP Configure Setup: ./configure Reproduce code: --- ?php $file_handle = fopen( __FILE__, r ); var_dump( get_resource_type($file_handle) ); fclose( $file_handle ); $dir_handle = opendir( . ); var_dump( get_resource_type($dir_handle) ); closedir( $dir_handle ); $pipe_handle = popen( /bin/ls, r ); var_dump( get_resource_type($pipe_handle) ); pclose( $pipe_handle ); $socket_handle = fsockopen( tcp://127.0.0.1, 23 ); var_dump( get_resource_type($socket_handle) ); fclose( $socket_handle ); ? Expected result: string(6) stream string(6) stream string(6) stream string(6) stream Actual result: -- string(6) stream string(6) stream string(6) stream string(6) stream -- Edit bug report at http://bugs.php.net/?id=41122edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=41122r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=41122r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=41122r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=41122r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=41122r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=41122r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=41122r=needscript Try newer version:http://bugs.php.net/fix.php?id=41122r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=41122r=support Expected behavior:http://bugs.php.net/fix.php?id=41122r=notwrong Not enough info: http://bugs.php.net/fix.php?id=41122r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=41122r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=41122r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=41122r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=41122r=dst IIS Stability:http://bugs.php.net/fix.php?id=41122r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=41122r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=41122r=float No Zend Extensions: http://bugs.php.net/fix.php?id=41122r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=41122r=mysqlcfg
[PHP-DOC] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
pajoye Tue Apr 17 15:31:45 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-src/ext/gd config.w32 gd.c php_gd.h
Log:
- MFH: add imagegrabwindow and imagegrabscreen (win32 only) [DOC]
capture a window using its handle or a full screen
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/config.w32?r1=1.10.4.3r2=1.10.4.4diff_format=u
Index: php-src/ext/gd/config.w32
diff -u php-src/ext/gd/config.w32:1.10.4.3 php-src/ext/gd/config.w32:1.10.4.4
--- php-src/ext/gd/config.w32:1.10.4.3 Wed Apr 11 11:44:20 2007
+++ php-src/ext/gd/config.w32 Tue Apr 17 15:31:45 2007
@@ -1,4 +1,4 @@
-// $Id: config.w32,v 1.10.4.3 2007/04/11 11:44:20 pajoye Exp $
+// $Id: config.w32,v 1.10.4.4 2007/04/17 15:31:45 pajoye Exp $
// vim:ft=javascript
ARG_WITH(gd, Bundled GD support, yes,shared);
@@ -24,6 +24,9 @@
CHECK_LIB(zlib.lib, gd, PHP_GD);
}
+ CHECK_LIB(User32.lib, gd, PHP_GD);
+ CHECK_LIB(Gdi32.lib, gd, PHP_GD);
+
EXTENSION(gd, gd.c gdttf.c, null, -Iext/gd/libgd,
php_gd2.dll);
ADD_SOURCES(ext/gd/libgd, gd2copypal.c gd_arc_f_buggy.c gd.c
\
gdcache.c gdfontg.c gdfontl.c gdfontmb.c gdfonts.c
gdfontt.c \
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.20r2=1.312.2.20.2.21diff_format=u
Index: php-src/ext/gd/gd.c
diff -u php-src/ext/gd/gd.c:1.312.2.20.2.20 php-src/ext/gd/gd.c:1.312.2.20.2.21
--- php-src/ext/gd/gd.c:1.312.2.20.2.20 Fri Apr 6 15:38:35 2007
+++ php-src/ext/gd/gd.c Tue Apr 17 15:31:45 2007
@@ -18,7 +18,7 @@
+--+
*/
-/* $Id: gd.c,v 1.312.2.20.2.20 2007/04/06 15:38:35 pajoye Exp $ */
+/* $Id: gd.c,v 1.312.2.20.2.21 2007/04/17 15:31:45 pajoye Exp $ */
/* gd 1.2 is copyright 1994, 1995, Quest Protein Database Center,
Cold Spring Harbor Labs. */
@@ -52,6 +52,9 @@
#ifdef PHP_WIN32
# include io.h
# include fcntl.h
+#include windows.h
+#include Winuser.h
+#include Wingdi.h
#endif
#if HAVE_LIBGD
@@ -314,6 +317,18 @@
ZEND_END_ARG_INFO()
#endif
+#ifdef PHP_WIN32
+static
+ZEND_BEGIN_ARG_INFO(arginfo_imagegrabwindow, 0, 0, 1)
+ ZEND_ARG_INFO(0, handle)
+ ZEND_ARG_INFO(0, client_area)
+ZEND_END_ARG_INFO()
+
+static
+ZEND_BEGIN_ARG_INFO(arginfo_imagegrabscreen, 0)
+ZEND_END_ARG_INFO()
+#endif
+
#ifdef HAVE_GD_BUNDLED
static
ZEND_BEGIN_ARG_INFO_EX(arginfo_imagerotate, 0, 0, 3)
@@ -1020,6 +1035,11 @@
PHP_FE(imagecopyresampled,
arginfo_imagecopyresampled)
#endif
+#ifdef PHP_WIN32
+ PHP_FE(imagegrabwindow,
arginfo_imagegrabwindow)
+ PHP_FE(imagegrabscreen,
arginfo_imagegrabscreen)
+#endif
+
#ifdef HAVE_GD_BUNDLED
PHP_FE(imagerotate,
arginfo_imagerotate)
PHP_FE(imageantialias,
arginfo_imageantialias)
@@ -2069,6 +2089,155 @@
/* }}} */
#endif
+#ifdef PHP_WIN32
+/* {{{ proto resource imagegrabwindow(int window_handle [, int client_area])
+ Grab a window or its client area using a windows handle (HWND property in
COM instance) */
+PHP_FUNCTION(imagegrabwindow)
+{
+ HWND window;
+ long client_area = 0;
+ RECT rc = {0};
+ RECT rc_win = {0};
+ int Width, Height;
+ HDC hdc;
+ HDC memDC;
+ HBITMAP memBM;
+ HBITMAP hOld;
+ HINSTANCE handle;
+ long lwindow_handle;
+ typedef BOOL (WINAPI *tPrintWindow)(HWND, HDC,UINT);
+ tPrintWindow pPrintWindow = 0;
+ gdImagePtr im;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, l|l,
lwindow_handle, client_area) == FAILURE) {
+ RETURN_FALSE;
+ }
+
+ window = (HWND) lwindow_handle;
+
+ if (!IsWindow(window)) {
+ php_error_docref(NULL TSRMLS_CC, E_NOTICE, Invalid window
handle);
+ RETURN_FALSE;
+ }
+
+ hdc = GetDC(0);
+
+ if (client_area) {
+ GetClientRect(window, rc);
+ Width = rc.right;
+ Height = rc.bottom;
+ } else {
+ GetWindowRect(window, rc);
+ Width = rc.right - rc.left;
+ Height = rc.bottom - rc.top;
+ }
+
+ Width = (Width/4)*4;
+
+ memDC = CreateCompatibleDC(hdc);
+ memBM = CreateCompatibleBitmap(hdc, Width, Height);
+ hOld= (HBITMAP) SelectObject (memDC, memBM);
+
+
+ handle = LoadLibrary(User32.dll);
+ if ( handle == 0 ) {
+ goto clean;
+ }
+ pPrintWindow = (tPrintWindow) GetProcAddress(handle, PrintWindow);
+
+ if ( pPrintWindow ) {
+ pPrintWindow(window, memDC, (UINT) client_area);
+ } else {
+
[PHP-DOC] cvs: phpdoc /en/security filesystem.xml
colder Tue Apr 17 16:31:00 2007 UTC
Modified files:
/phpdoc/en/security filesystem.xml
Log:
Improve filesystem's security man page
http://cvs.php.net/viewvc.cgi/phpdoc/en/security/filesystem.xml?r1=1.3r2=1.4diff_format=u
Index: phpdoc/en/security/filesystem.xml
diff -u phpdoc/en/security/filesystem.xml:1.3
phpdoc/en/security/filesystem.xml:1.4
--- phpdoc/en/security/filesystem.xml:1.3 Sun Aug 8 16:11:36 2004
+++ phpdoc/en/security/filesystem.xml Tue Apr 17 16:31:00 2007
@@ -1,5 +1,5 @@
?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.3 $ --
+!-- $Revision: 1.4 $ --
!-- splitted from ./index.xml, last change in rev 1.66 --
chapter id=security.filesystem
titleFilesystem Security/title
@@ -34,16 +34,19 @@
?php
// remove a file from the user's home directory
$username = $_POST['user_submitted_name'];
-$homedir = /home/$username;
-$file_to_delete = $userfile;
-unlink ($homedir/$userfile);
-echo $file_to_delete has been deleted!;
+$userfile = $_POST['user_submitted_filename'];
+$homedir = /home/$username;
+
+unlink($homedir/$userfile);
+
+echo The file has been deleted!;
?
]]
/programlisting
/example
- Since the username is postable from a user form, they can submit
- a username and file belonging to someone else, and delete files.
+ Since the username and the filename are postable from a user form,
+ they can submit a username and a filename belonging to someone else,
+ and delete it even if they're not supposed to be allowed to do so.
In this case, you'd want to use some other form of authentication.
Consider what could happen if the variables submitted were
../etc/ and passwd. The code would then effectively read:
@@ -54,11 +57,13 @@
?php
// removes a file from anywhere on the hard drive that
// the PHP user has access to. If PHP has root access:
-$username = ../etc/;
-$homedir = /home/../etc/;
-$file_to_delete = passwd;
-unlink (/home/../etc/passwd);
-echo /home/../etc/passwd has been deleted!;
+$username = $_POST['user_submitted_name']; // ../etc
+$userfile = $_POST['user_submitted_filename']; // passwd
+$homedir = /home/$username; // /home/../etc
+
+unlink($homedir/$userfile); // /home/../etc/passwd
+
+echo The file has been deleted!;
?
]]
/programlisting
@@ -86,23 +91,27 @@
// removes a file from the hard drive that
// the PHP user has access to.
$username = $_SERVER['REMOTE_USER']; // using an authentication mechanisim
+$userfile = basename($_POST['user_submitted_filename']);
+$homedir = /home/$username;
-$homedir = /home/$username;
+$filepath = $homedir/$userfile;
-$file_to_delete = basename($userfile); // strip paths
-unlink ($homedir/$file_to_delete);
-
-$fp = fopen(/home/logging/filedelete.log,+a); //log the deletion
-$logstring = $username $homedir $file_to_delete;
-fwrite ($fp, $logstring);
+if (file_exists($filepath) unlink($filepath)) {
+$logstring = Deleted $filepath\n;
+} else {
+$logstring = Failed to delete $filepath\n;
+}
+$fp = fopen(/home/logging/filedelete.log, a);
+fwrite($fp, $lo gstring);
fclose($fp);
-echo $file_to_delete has been deleted!;
+echo htmlentities($logstring, ENT_QUOTES);
+
?
]]
/programlisting
/example
-However, even this is not without it's flaws. If your authentication
+However, even this is not without its flaws. If your authentication
system allowed users to create their own user logins, and a user
chose the login ../etc/, the system is once again exposed. For
this reason, you may prefer to write a more customized check:
@@ -111,14 +120,16 @@
programlisting role=php
![CDATA[
?php
-$username = $_SERVER['REMOTE_USER']; // using an authentication mechanisim
-$homedir = /home/$username;
-
-if (!ereg('^[^./][^/]*$', $userfile))
- die('bad filename'); //die, do not process
+$username = $_SERVER['REMOTE_USER']; // using an authentication mechanisim
+$userfile = $_POST['user_submitted_filename'];
+$homedir = /home/$username;
+
+$filepath = $homedir/$userfile;
+
+if (!ctype_alnum($username) || !preg_match('/^(?:[a-z0-9_-]|\.(?!\.))+$/iD',
$userfile)) {
+die(Bad username/filename);
+}
-if (!ereg('^[^./][^/]*$', $username))
- die('bad username'); //die, do not process
//etc...
?
]]
[PHP-DOC] #37874 [Asn-Csd]: Improve the Filesystem Security manual page
ID: 37874 Updated by: [EMAIL PROTECTED] Reported By: Harry dot Boeck at t-online dot de -Status: Assigned +Status: Closed Bug Type: Documentation problem Operating System: all PHP Version: Irrelevant Assigned To: colder New Comment: This bug has been fixed in the documentation's XML sources. Since the online and downloadable versions of the documentation need some time to get updated, we would like to ask you to be a bit patient. Thank you for the report, and for helping us make our documentation better. some improvements Previous Comments: [2006-12-21 06:58:43] mohammedferoz123 at gmail dot com PLEASE SEND SOME SAMPLE TEST CASES OF WEB APPLICATION AND CLIENT SERVER APPLICATION [2006-06-23 04:23:47] judas dot iscariote at gmail dot com in my latest comment I really mean even **without** allow_url_fopen enabled [2006-06-23 04:22:28] judas dot iscariote at gmail dot com your latest comment have nothing to do with allow_url_fopen..looks like that is a combination of a MOS bug with the GLOBALS overwrite issue detected by Steffan Esser some time ago.. adittionally buggy code like include $_GET['page'] can be exploited even with allow_url_fopen , to read local files, or arbitrary code execution tricking the php://input wrapper ( that do not obey allow_url_fopen at all) I think this last point,and the NULL byte attack should be mentioned in the security docs too.. [2006-06-22 15:13:24] Harry dot Boeck at t-online dot de Well, when i look at the intrusion attempts on my server, for example (cut off from the log): req:GET /index2.php?option=com_contentdo_pdf=1id=1index2.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /index.php?option=com_contentdo_pdf=1id=1index2.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /mambo/index2.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /Mambo/index2.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /news/index2.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /home/index2.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /cvs/index2.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /index.php?option=com_contentdo_pdf=1id=1index.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /mambo/index.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /Mambo/index.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /news/index.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /home/index.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... req:GET /cvs/index.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=... then it seems that there are at least _a_few_ people out there not being able to read the pretty well documentation while being able to program wide spread public programs versus being able to setup servers. They are, of course, only extremely rare exceptions! OK, i have done all i could to help those guys. If it shouldn't be, then i will let it be. [2006-06-22 14:56:15] [EMAIL PROTECTED] It seems that this manual page[1] needs some fixes and is not really up to date. I'll also add something about the include security hole. [1] http://php.net/security.filesystem The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/37874 -- Edit this bug report at http://bugs.php.net/?id=37874edit=1
[PHP-DOC] Re: [PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
Hello Pierre-Alain,
since when are we adding major new features to release branches?
best regards
marcus
Tuesday, April 17, 2007, 5:31:45 PM, you wrote:
pajoye Tue Apr 17 15:31:45 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-src/ext/gd config.w32 gd.c php_gd.h
Log:
- MFH: add imagegrabwindow and imagegrabscreen (win32 only) [DOC]
capture a window using its handle or a full screen
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/config.w32?r1=1.10.4.3r2=1.10.4.4diff_format=u
Index: php-src/ext/gd/config.w32
diff -u php-src/ext/gd/config.w32:1.10.4.3 php-src/ext/gd/config.w32:1.10.4.4
--- php-src/ext/gd/config.w32:1.10.4.3 Wed Apr 11 11:44:20 2007
+++ php-src/ext/gd/config.w32 Tue Apr 17 15:31:45 2007
@@ -1,4 +1,4 @@
-// $Id: config.w32,v 1.10.4.3 2007/04/11 11:44:20 pajoye Exp $
+// $Id: config.w32,v 1.10.4.4 2007/04/17 15:31:45 pajoye Exp $
// vim:ft=javascript
ARG_WITH(gd, Bundled GD support, yes,shared);
@@ -24,6 +24,9 @@
CHECK_LIB(zlib.lib, gd, PHP_GD);
}
+ CHECK_LIB(User32.lib, gd, PHP_GD);
+ CHECK_LIB(Gdi32.lib, gd, PHP_GD);
+
EXTENSION(gd, gd.c gdttf.c, null, -Iext/gd/libgd,
php_gd2.dll);
ADD_SOURCES(ext/gd/libgd, gd2copypal.c gd_arc_f_buggy.c
gd.c \
gdcache.c gdfontg.c gdfontl.c gdfontmb.c gdfonts.c
gdfontt.c \
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.20r2=1.312.2.20.2.21diff_format=u
Index: php-src/ext/gd/gd.c
diff -u php-src/ext/gd/gd.c:1.312.2.20.2.20
php-src/ext/gd/gd.c:1.312.2.20.2.21
--- php-src/ext/gd/gd.c:1.312.2.20.2.20 Fri Apr 6 15:38:35 2007
+++ php-src/ext/gd/gd.c Tue Apr 17 15:31:45 2007
@@ -18,7 +18,7 @@
+--+
*/
-/* $Id: gd.c,v 1.312.2.20.2.20 2007/04/06 15:38:35 pajoye Exp $ */
+/* $Id: gd.c,v 1.312.2.20.2.21 2007/04/17 15:31:45 pajoye Exp $ */
/* gd 1.2 is copyright 1994, 1995, Quest Protein Database Center,
Cold Spring Harbor Labs. */
@@ -52,6 +52,9 @@
#ifdef PHP_WIN32
# include io.h
# include fcntl.h
+#include windows.h
+#include Winuser.h
+#include Wingdi.h
#endif
#if HAVE_LIBGD
@@ -314,6 +317,18 @@
ZEND_END_ARG_INFO()
#endif
+#ifdef PHP_WIN32
+static
+ZEND_BEGIN_ARG_INFO(arginfo_imagegrabwindow, 0, 0, 1)
+ ZEND_ARG_INFO(0, handle)
+ ZEND_ARG_INFO(0, client_area)
+ZEND_END_ARG_INFO()
+
+static
+ZEND_BEGIN_ARG_INFO(arginfo_imagegrabscreen, 0)
+ZEND_END_ARG_INFO()
+#endif
+
#ifdef HAVE_GD_BUNDLED
static
ZEND_BEGIN_ARG_INFO_EX(arginfo_imagerotate, 0, 0, 3)
@@ -1020,6 +1035,11 @@
PHP_FE(imagecopyresampled,
arginfo_imagecopyresampled)
#endif
+#ifdef PHP_WIN32
+ PHP_FE(imagegrabwindow,
arginfo_imagegrabwindow)
+ PHP_FE(imagegrabscreen,
arginfo_imagegrabscreen)
+#endif
+
#ifdef HAVE_GD_BUNDLED
PHP_FE(imagerotate,
arginfo_imagerotate)
PHP_FE(imageantialias,
arginfo_imageantialias)
@@ -2069,6 +2089,155 @@
/* }}} */
#endif
+#ifdef PHP_WIN32
+/* {{{ proto resource imagegrabwindow(int window_handle [, int client_area])
+ Grab a window or its client area using a windows handle (HWND property in
COM instance) */
+PHP_FUNCTION(imagegrabwindow)
+{
+ HWND window;
+ long client_area = 0;
+ RECT rc = {0};
+ RECT rc_win = {0};
+ int Width, Height;
+ HDC hdc;
+ HDC memDC;
+ HBITMAP memBM;
+ HBITMAP hOld;
+ HINSTANCE handle;
+ long lwindow_handle;
+ typedef BOOL (WINAPI *tPrintWindow)(HWND, HDC,UINT);
+ tPrintWindow pPrintWindow = 0;
+ gdImagePtr im;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, l|l,
lwindow_handle, client_area) == FAILURE) {
+ RETURN_FALSE;
+ }
+
+ window = (HWND) lwindow_handle;
+
+ if (!IsWindow(window)) {
+ php_error_docref(NULL TSRMLS_CC, E_NOTICE, Invalid window
handle);
+ RETURN_FALSE;
+ }
+
+ hdc = GetDC(0);
+
+ if (client_area) {
+ GetClientRect(window, rc);
+ Width = rc.right;
+ Height = rc.bottom;
+ } else {
+ GetWindowRect(window, rc);
+ Width = rc.right - rc.left;
+ Height = rc.bottom - rc.top;
+ }
+
+ Width = (Width/4)*4;
+
+ memDC = CreateCompatibleDC(hdc);
+ memBM = CreateCompatibleBitmap(hdc, Width, Height);
+ hOld= (HBITMAP) SelectObject (memDC, memBM);
+
+
+ handle =
[PHP-DOC] Re: [PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
On 04/17/2007 09:29 PM, Marcus Boerger wrote: Hello Pierre-Alain, since when are we adding major new features to release branches? Pierre, please leave this function for HEAD only, we don't add new features to 5.2. Thanks. -- Wbr, Antony Dovgal
[PHP-DOC] Re: [PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
On 04/17/2007 09:53 PM, Pierre Joye wrote: On 4/17/07, Antony Dovgal [EMAIL PROTECTED] wrote: On 04/17/2007 09:29 PM, Marcus Boerger wrote: Hello Pierre-Alain, since when are we adding major new features to release branches? Pierre, please leave this function for HEAD only, we don't add new features to 5.2. Well, do you really see a problem in these two self contained functions? They don't affect anything else in ext/gd or php and are on windows only. Don't get me wrong, it's not about you or the functions. We have some rules and I believe everybody should abide by them. -- Wbr, Antony Dovgal
[PHP-DOC] Re: [PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
On 17/04/2007, at 20.01, Antony Dovgal wrote: On 04/17/2007 09:53 PM, Pierre Joye wrote: On 4/17/07, Antony Dovgal [EMAIL PROTECTED] wrote: On 04/17/2007 09:29 PM, Marcus Boerger wrote: Hello Pierre-Alain, since when are we adding major new features to release branches? Pierre, please leave this function for HEAD only, we don't add new features to 5.2. Well, do you really see a problem in these two self contained functions? They don't affect anything else in ext/gd or php and are on windows only. Don't get me wrong, it's not about you or the functions. We have some rules and I believe everybody should abide by them. Hi Antony, Marcus, This is simply not true. 5.2.x is not simply bug fix release. Minor and major functionality is added all the time. If you're too lazy to read the CVS I can list them for you. So please don't comment on commits based on who is making them. Edin
[PHP-DOC] Re: [PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
Hello Edin, either way it is ridiculous to add new features in the middle of a releace process. We are not only in a release branch here. We are even in a middle of a release. In one that is even security focused. best regards marcus Tuesday, April 17, 2007, 8:27:50 PM, you wrote: On 17/04/2007, at 20.01, Antony Dovgal wrote: On 04/17/2007 09:53 PM, Pierre Joye wrote: On 4/17/07, Antony Dovgal [EMAIL PROTECTED] wrote: On 04/17/2007 09:29 PM, Marcus Boerger wrote: Hello Pierre-Alain, since when are we adding major new features to release branches? Pierre, please leave this function for HEAD only, we don't add new features to 5.2. Well, do you really see a problem in these two self contained functions? They don't affect anything else in ext/gd or php and are on windows only. Don't get me wrong, it's not about you or the functions. We have some rules and I believe everybody should abide by them. Hi Antony, Marcus, This is simply not true. 5.2.x is not simply bug fix release. Minor and major functionality is added all the time. If you're too lazy to read the CVS I can list them for you. So please don't comment on commits based on who is making them. Edin Best regards, Marcus
Re: [PHP-DOC] moving doc.php.net to pb11
Hey, I can only say one thing.. Awesome to see some docweb activity ! We should keep it this way.. (also blaming myself) Vincent Sean Coates schreef: Hi All, We've finally finished the move and sync of everything to pb11 for docweb (see http://doc.php.net.phpdoc.info/). Everything seems to be working. Please test that everything matches doc.php.net. Note: because of the domain difference, anything related to the MAGIC cookie isn't going to work. If all is good, I'll ask someone with karma to switch the CNAME from Jacques server, to the php.net one. S
[PHP-DOC] Re: [PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
On Tue, 17 Apr 2007, Antony Dovgal wrote: On 04/17/2007 09:29 PM, Marcus Boerger wrote: Hello Pierre-Alain, since when are we adding major new features to release branches? Pierre, please leave this function for HEAD only, we don't add new features to 5.2. That's not true - we added many functions. I see no problems with those two new functions, but I think it'd be smarter to introduce them in 5.2.3 as we just released an RC. I don't think we should *then* add more functions as with this we need to keep releasing new RCs. regards, Derick -- Derick Rethans http://derickrethans.nl | http://ez.no | http://xdebug.org
[PHP-DOC] Re: [PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
Hello Derick, Tuesday, April 17, 2007, 8:58:40 PM, you wrote: On Tue, 17 Apr 2007, Antony Dovgal wrote: On 04/17/2007 09:29 PM, Marcus Boerger wrote: Hello Pierre-Alain, since when are we adding major new features to release branches? Pierre, please leave this function for HEAD only, we don't add new features to 5.2. That's not true - we added many functions. I see no problems with those two new functions, but I think it'd be smarter to introduce them in 5.2.3 as we just released an RC. I don't think we should *then* add more functions as with this we need to keep releasing new RCs. Fine with me. Though personally I hope we create 5.3 from 5.2.2 and avoid this kind of discussion. best regards marcus
[PHP-DOC] Re: [PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
Hello Marcus, Did I miss your mail to Dmitry about making *major* engine changes to add Win64 support? I must also have lost your mail to Jani for adding new features to FastCGI too? I think I need to double check my spam filter. Or was your response more in regard of *who* committed it than *what* was committed (major engine change versus two self-contained windows only functions)? Edin On 17/04/2007, at 20.51, Marcus Boerger wrote: Hello Edin, either way it is ridiculous to add new features in the middle of a releace process. We are not only in a release branch here. We are even in a middle of a release. In one that is even security focused. best regards marcus Tuesday, April 17, 2007, 8:27:50 PM, you wrote: On 17/04/2007, at 20.01, Antony Dovgal wrote: On 04/17/2007 09:53 PM, Pierre Joye wrote: On 4/17/07, Antony Dovgal [EMAIL PROTECTED] wrote: On 04/17/2007 09:29 PM, Marcus Boerger wrote: Hello Pierre-Alain, since when are we adding major new features to release branches? Pierre, please leave this function for HEAD only, we don't add new features to 5.2. Well, do you really see a problem in these two self contained functions? They don't affect anything else in ext/gd or php and are on windows only. Don't get me wrong, it's not about you or the functions. We have some rules and I believe everybody should abide by them. Hi Antony, Marcus, This is simply not true. 5.2.x is not simply bug fix release. Minor and major functionality is added all the time. If you're too lazy to read the CVS I can list them for you. So please don't comment on commits based on who is making them. Edin Best regards, Marcus
[PHP-DOC] Re: [PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
On 17/04/2007, at 21.08, Marcus Boerger wrote: Hello Derick, Tuesday, April 17, 2007, 8:58:40 PM, you wrote: On Tue, 17 Apr 2007, Antony Dovgal wrote: On 04/17/2007 09:29 PM, Marcus Boerger wrote: Hello Pierre-Alain, since when are we adding major new features to release branches? Pierre, please leave this function for HEAD only, we don't add new features to 5.2. That's not true - we added many functions. I see no problems with those two new functions, but I think it'd be smarter to introduce them in 5.2.3 as we just released an RC. I don't think we should *then* add more functions as with this we need to keep releasing new RCs. Fine with me. Though personally I hope we create 5.3 from 5.2.2 and avoid this kind of discussion. Another option is to re-release RC1. Give people early chance to test win64 release? Or make 5.2.2 as mostly security release and leave these new features for 5.2.3. I don't think we need 5.3.x as long as we can maintain binary compatibility. Edin
[PHP-DOC] Re: [PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
Hello Edin, it appears i should read cvs commits more carefully. I thought that win64 change was a pretty easy one not affecting anything else. Reviewing it again i get a different opinion. And sorry but I can't care less about FCGI and whether someone moves stuff from CLI to FCGI. Or did jani do more than we were discussing? best regards marcus And for the record. The stuff Pierre added is cool and yes I am even a windows user Tuesday, April 17, 2007, 9:09:34 PM, you wrote: Hello Marcus, Did I miss your mail to Dmitry about making *major* engine changes to add Win64 support? I must also have lost your mail to Jani for adding new features to FastCGI too? I think I need to double check my spam filter. Or was your response more in regard of *who* committed it than *what* was committed (major engine change versus two self-contained windows only functions)? Edin On 17/04/2007, at 20.51, Marcus Boerger wrote: Hello Edin, either way it is ridiculous to add new features in the middle of a releace process. We are not only in a release branch here. We are even in a middle of a release. In one that is even security focused. best regards marcus Tuesday, April 17, 2007, 8:27:50 PM, you wrote: On 17/04/2007, at 20.01, Antony Dovgal wrote: On 04/17/2007 09:53 PM, Pierre Joye wrote: On 4/17/07, Antony Dovgal [EMAIL PROTECTED] wrote: On 04/17/2007 09:29 PM, Marcus Boerger wrote: Hello Pierre-Alain, since when are we adding major new features to release branches? Pierre, please leave this function for HEAD only, we don't add new features to 5.2. Well, do you really see a problem in these two self contained functions? They don't affect anything else in ext/gd or php and are on windows only. Don't get me wrong, it's not about you or the functions. We have some rules and I believe everybody should abide by them. Hi Antony, Marcus, This is simply not true. 5.2.x is not simply bug fix release. Minor and major functionality is added all the time. If you're too lazy to read the CVS I can list them for you. So please don't comment on commits based on who is making them. Edin Best regards, Marcus Best regards, Marcus
[PHP-DOC] Re: [PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd config.w32 gd.c php_gd.h
On 17/04/2007, at 21.24, Marcus Boerger wrote: Hello Edin, it appears i should read cvs commits more carefully. I thought that win64 change was a pretty easy one not affecting anything else. Reviewing it again i get a different opinion. And sorry but I can't care less about FCGI and whether someone moves stuff from CLI to FCGI. Or did jani do more than we were discussing? And yet two self-contained functions inside #ifdef PHP_WIN32 in gd module warrant your scrutiny? But never mind. My only goal with my post was to promote even-handed application of the principle no new features after RC1. Edin
Re: [PHP-DOC] moving doc.php.net to pb11
Regarding the orphan notes problem that Nuno brought up, at the last minute we consolidated docweb to use the central CVS sources (for phpdoc-all, phpweb, livedocs, etc.) on pb11 because before it was checking out its own and inserting those php manual rsyncs. This change broke the orphan notes but it's now being fixed by Sean. Thanks :) Nuno
